US20110013637A1 - Method, System and Gateway for Remotely Accessing MPLS VPN - Google Patents
Method, System and Gateway for Remotely Accessing MPLS VPN Download PDFInfo
- Publication number
- US20110013637A1 US20110013637A1 US12/836,439 US83643910A US2011013637A1 US 20110013637 A1 US20110013637 A1 US 20110013637A1 US 83643910 A US83643910 A US 83643910A US 2011013637 A1 US2011013637 A1 US 2011013637A1
- Authority
- US
- United States
- Prior art keywords
- vpn
- packet
- user
- ssl
- label
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 176
- 238000013475 authorization Methods 0.000 claims abstract description 44
- 238000012545 processing Methods 0.000 claims description 133
- 230000008569 process Effects 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 5
- 230000002457 bidirectional effect Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 241000767684 Thoe Species 0.000 description 1
- 101150077854 USE1 gene Proteins 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
- G06Q20/027—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] involving a payment switch or gateway
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4675—Dynamic sharing of VLAN information amongst network nodes
- H04L12/4679—Arrangements for the registration or de-registration of VLAN attribute values, e.g. VLAN identifiers, port VLAN membership
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
Definitions
- the present invention relates to Secure Socket Layer Virtual Private Network (SSL VPN) technologies and Multi-Protocol Label Switching Virtual Private Network (MPLS VPN) technologies, and more particularly to a method and system for remotely accessing an MPLS VPN, and a gateway applied to the system.
- SSL VPN Secure Socket Layer Virtual Private Network
- MPLS VPN Multi-Protocol Label Switching Virtual Private Network
- FIGS. 1A and 1B show diagrams illustrating network structures of the SSL VPN.
- an SSL connection is established between a remote host and an SSL VPN gateway, and packets are transmitted on the Internet in an encryption mode.
- the SSL VPN gateway terminates the SSL connection, transmits a request from the remote host in a plain language mode through a Transmission Control Protocol (TCP) connection established between the SSL VPN gateway and a VPN resource server of an inner network or through direct IP forwarding, and transmits a response of a server to the remote host through the SSL connection
- TCP Transmission Control Protocol
- Remote access modes of users include a TCP access mode, a WEB access mode and an IP access mode.
- Remote access processes of the TCP access mode and the WEB access mode are the same, while are a little different from a remote access process of the IP access mode.
- the remote access process includes the following steps.
- Step A a user1 performs information interaction with an SSL VPN gateway, and establishes a connection related to a remote access.
- Step A specifically includes the following.
- a1 through a remote host, the user1 requests the SSL VPN gateway to perform logon and authentication; the SSL VPN gateway returns a user resource page to the user1 after the used passes the logon and authentication, and the user resource page includes VPN resource information that the used is allowed to access.
- the gateway needs to maintain a bidirectional connection relation table, i.e. the SSL connection between the SSL VPN gateway and the user host and a TCP connection between the SSL VPN gateway and a VPN resource server; hence, the used sends a user identity (ID) and an ID of the VPN resource requested to be accessed to the SSL VPN gateway through the SSL connection established.
- ID is used to identify a user
- ID of the VPN resource is used to indicate the resource requested to be accessed.
- the SSL VPN gateway establishes and maintains the TCP connection between the SSL VPN gateway and a VPN resource server 1 to which the VPN resource requested to be accessed belongs for the user1.
- Two ends of the TCP connection established for the used are: a private network address of a physical exit interface on the SSL VPN gateway, 172.1.1.1, and a private network address of the VPN resource server 1, 10.3.1.1.
- Step B after the connection related to the remote access is established, the user1 sends a packet to the SSL VPN gateway through the SSL connection, and the SSL VPN gateway sends the packet received through the SSL connection to the VPN resource server 1 through the TCP connection established for the user1.
- the packet sent from the user1 to the SSL VPN gateway merely carries a public network IP header.
- a public network source address in the public network IP header is a public network address of a remote host used by the user1, 60.191.123.24
- a public network destination address in the public network IP header is a public network address of the SSL VPN gateway, 220.189.204.90.
- the core component of the SSL VPN gateway is an SSL VPN service unit.
- the SSL VPN service unit includes three modules, a TCP access mode processing module, a WEB access mode processing module and an IP access mode processing module. Packet forwarding procedures of the TCP access mode processing module and the WEB access mode processing module are similar, and thus the above two modules may be deemed as one module, i.e. a TCP/WEB access mode processing module.
- the TCP/WEB access mode processing module operates on an application layer, while the IP access mode processing module operates on both the application layer and an IP layer.
- the forwarding process in step B includes sub-steps b1 ⁇ b3.
- the IP layer removes the public network IP header and sends the data part of the packet to the TCP/WEB access mode processing module located on the application layer via a TCP layer;
- the TCP/WEB access mode processing module determines to forward the received packet through the TCP connection established for the user1 according to the bidirectional connection relation table; in this case, the packet is sent to the TCP layer;
- the TCP layer adds a private network IP header to the packet according to the TCP connection established for the user1 (172.1.1.1 to 10.3.1.1), and sends the packet to the IP layer; where a private network source address and a private network destination address in the private network IP header are 172.1.1.1 and 10.3.1.1 respectively;
- the IP layer performs route searching according to a destination address of the packet, and then forwards the packet via the physical exit interface 172.1.1.1.
- the private network source address and the private network destination address in the private network IP header are 172.1.1.1 and 10.3.1.1 respectively.
- Step C the SSL VPN gateway receives a response packet returned by the VPN resource server 1 through the TCP connection, and returns the response packet to the user1 through the SSL connection.
- This step equals to a reverse operation of the step B.
- the IP layer removes the private network IP header of the response packet and sends the response packet to the TCP/WEB access mode processing module through the TCP layer, and the TCP/WEB access mode processing module determines to return the response packet through the SSL connection between the user1 and the TCP/WEB access mode processing module.
- the TCP layer adds a public network IP header to the response packet.
- the IP layer performs the route searching and forwards the response packet.
- the SSL VPN gateway besides returning the user resource page, also needs to randomly select one IP address from the address pool and allocate the IP address to the user1 as a source address, i.e. a virtual address used by the user1 when accessing the VPN resource server. It is supposed that the virtual address is 10.1.1.2.
- the SSL VPN gateway needs to maintain a relation table of the users, the virtual addresses and the SSL connections, but does not need to know the VPN resource server to be accessed by the user1. Therefore, during the information interaction with the SSL VPN gateway, the user1 only needs to send the user ID to the SSL VPN gateway through the SSL connection established.
- step B the user1 still sends the packet to the SSL VPN gateway through the SSL connection, and the packet includes not only the public network IP header as described above, but also a private network IP header.
- the packet sent by the user1 such as a packet ⁇ circle around ( 1 ) ⁇ shown in FIG. 1B
- the public network IP header of the packet ⁇ circle around ( 1 ) ⁇ is the same as that shown in FIG. 1A
- a private network source address is the virtual address of the user1, 10.1.1.2
- a private network destination address is a private network address of the VPN resource server to be accessed, 10.3.1.1.
- the private network address of the VPN resource server may be obtained by the user1 in advance.
- the IP layer removes the public network IP header, and sends the packet to the IP access mode processing module through the TCP layer.
- the IP access mode processing module determines to transmit the packet directly according to the private network IP header.
- the packet without the public network IP header may be a packet ⁇ circle around ( 2 ) ⁇ as shown in FIG. 1B .
- step C the SSL VPN gateway receives a response packet returned by the VPN resource server 1; the IP access mode processing mode determines to return the response packet through the SSL connection between the IP access mode processing mode and the user1 according to the relation table of the users, the virtual addresses and the SSL connections; and then the TCP layer adds a public network IP header to the response packet, and the IP layer performs the route searching and forwards the response packet to the user1.
- MPLS L3VPN is a Layer 3 (L3) VPN technology based on a Provider Edge (PE) router in VPN solutions of service providers.
- MPLS L3VPN issues VPN routes in an MPLS network by using a Border Gateway Protocol (BGP), forwards an MPLS packet in the MPLS network by using label forwarding.
- FIG. 2 is a schematic diagram illustrating a conventional network structure of an MPLS L3VPN. As shown in FIG. 2 , the MPLS L3VPN model consists of the following three parts.
- a Customer Edge (CE) device called CE for short, has an interface directly connecting with a Provider Edge (PE) router.
- the CE may be a router, an exchanger or a host.
- the CE can not “apperceive” existence of the VPN and does not need to support the MPLS.
- a PE router called PE for short, is an edge device of the MPLS network, and directly connects with the CE. In the MPLS network, all processing of VPN information is maintained in the PE.
- VPN Routing & Forwarding Instances called VPN instances, are stored in the PE.
- a routing forwarding table and an MPLS label forwarding table are included in the VPN instance.
- the routing forwarding table includes two kinds of routes, one is for indicating an exit interface through which a packet from the CE is to be forwarded, and the other is for indicating an exit interface through which a packet from the P router is to be forwarded.
- the MPLS label forwarding table includes two kinds of table entries, one is a VPN label (inner layer label) of each VPN, and the other is a forwarding entry, i.e. for indicating next hop P router information and an MPLS forwarding label for a packet from the CE.
- the P router is a backbone router of the MPLS network, does not directly connect with the CE, only needs to have basic MPLS forwarding capability and does not need to maintain VPN information.
- different physical interfaces of the PE router connect with different CE devices, one physical interface is bound with one VPN, and a VPN instance of the VPN is formed according to the physical interface bound with the VPN.
- the PE router determines a VPN to which the packet belongs according to the physical interface, and forwards the packet by using the VPN instance of the VPN to which the packet belongs.
- the forwarding processing includes: searching for an exit interface of the packet according to a routing forwarding table, and searching for a VPN label (inner layer label), an MPLS forwarding label (outer layer label), next hop P device information and the like according to the MPLS label forwarding table; adding a VPN label and an MPLS label to the packet according to the found information, and forwarding the packet.
- the PE router searches for a VPN instance according to the VPN label contained in the packet, and forwards the packet to the CE device through a physical interface bound with the VPN instance.
- the PE router may also differentiate different VPN users according to Virtual Local Area Network (VLAN) access information.
- VLAN Virtual Local Area Network
- An embodiment of the present invention provides a method for remotely accessing an MPLS VPN, so that a remote user can remotely access a VPN resource in the MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway.
- the remote user remotely accesses a VPN resource server in the MPLS VPN through the SSL connection between the remote user and the SSL VPN gateway, and the SSL VPN gateway also functions as a PE router in the MPLS network. And packets received by the SSL VPN gateway from the VPN resource server or transmitted by the SSL VPN gateway to the VPN resource server are transmitted through the MPLS network.
- the method includes steps of:
- A establishing multiple virtual interfaces in the SSL VPN gateway, one virtual interface being bound with one VPN, and forming VPN instances according to the virtual interfaces bound with VPNs, differentiating different VPN users according to authentication and authorization information of users, and binding the authentication and authorization information of the users with VPNs respectively;
- D receiving, by the SSL VPN gateway, a response packet from the VPN resource server, searching for a VPN instance according to a VPN label carried by the response packet, and forwarding the response packet to the user through the SSL connection according to the found VPN instance.
- An embodiment of the present invention provides a gateway, functioning as an SSL VPN gateway and a PE router, so that a remote user can remotely access a VPN resource in an MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway.
- the gateway functions as an SSL VPN gateway in the SSL VPN and a PE router in the MPLS VPN, and includes:
- a configuration unit a first network interface, a second network interface, a processing unit, a VPN instance storing unit and a relation storing unit;
- configuration unit is adapted to establish multiple virtual interfaces, one virtual interface being bound with one VPN, form VPN instances according to the virtual interfaces bound with the VPNs, save the VPN instances in the VPN instance storing unit; differentiate different VPN users according to authentication and authorization information of users, bind the authentication and authorization information of the users with corresponding VPNs respectively; save binding relations in the relation storing unit;
- relation storing unit is adapted to store the binding relations established by the configuration unit
- VPN instance storing unit is adapted to store the VPN instances
- the first network interface is adapted to provide a data transmission channel between the gateway and the users
- the second network interface is adapted to provide a data transmission channel between the gateway and an MPLS network
- the processing unit is adapted to perform information interaction with a user and establish a connection related to a remote access; when receiving a packet sent by the user x through the SSL connection, obtain a VPN instance bound with authentication and authorization information of the user x from the VPN instance storing unit according to a binding relation stored in the relation storing unit, add a VPN label and an MPLS forwarding label to the packet by using the VPN instance obtained, send the packet to the VPN resource server through the MPLS network; when receiving a response packet from the VPN resource server, search for a corresponding VPN instance in the VPN instance storing unit according to a VPN label carried by the response packet, and forward the response packet to the user x through the SSL connection according to the found VPN instance.
- An embodiment of the present invention provides a system for remotely accessing an MPLS VPN, so that a remote user can remotely access a VPN resource in the MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway.
- the system includes any kinds of gateway described above.
- the system includes the gateway described above.
- embodiments of the present invention establish virtual interfaces bound respectively with VPNs, and thus each VPN binds with one virtual interface, so that VPN instances corresponding to different VPNs are formed and used when a packet is forwarded.
- embodiments of the present invention differentiate different VPN users by using authentication and authorization information of users, so that the users can be differentiated when the SSL VPN gateway provides only one physical interface for the users, and thus can further forward the packet by using a corresponding VPN instance, thereby implementing the scheme of remotely accessing the VPN resource in the MPLS VPN by the remote user.
- FIG. 1A is a schematic diagram illustrating a conventional network structure of an SSL VPN.
- FIG. 1B is a schematic diagram illustrating a conventional network structure of an SSL VPN.
- FIG. 2 is a schematic diagram illustrating a conventional networking structure of an MPLS L3VPN.
- FIG. 3 is a schematic diagram illustrating a network structure when an SSL VPN gateway also functions as a PE router.
- FIG. 4 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in a TCP/WEB access mode according to a first embodiment of the present invention.
- FIG. 5 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in an IP access mode according to a second embodiment of the present invention.
- FIG. 6 is a schematic diagram illustrating a structure of an SSL VPN gateway according to an embodiment of the present invention.
- FIG. 7 is a schematic diagram illustrating a structure of an SSL VPN gateway when an access to a VPN resource server is in a TCP/WEB mode according to an embodiment of the present invention.
- FIG. 8 is a schematic diagram illustrating a structure of an SSL VPN gateway when an access to a VPN resource server is in an IP mode according to an embodiment of the present invention.
- an SSL VPN gateway also functions as a PE router in an MPLS L3VPN, so as to solve a problem of connecting the SSL VPN gateway and the MPLS L3VPN.
- the MPLS VPNs described below all indicate the MPLS L3VPN.
- FIG. 3 is a schematic diagram illustrating a network structure when an SSL VPN gateway also functions as a PE router.
- a user1 belongs to a VPN1
- a user2 belongs to a VPN2, and the two users access VPN resources respectively through different remote hosts;
- a CE1 and a CE2 are VPN resource servers, a VPN1 resource is configured at the CE1, and a VPN2 resource is configured at the CE2.
- Data are transmitted between the remote host and the SSL VPN gateway through an SSL connection, and the SSL VPN gateway functions as a PE router at the same time and connects with a P router in an MPLS network.
- the SSL VPN gateway functioning as the PE router, is different from the PE router shown in FIG. 2 .
- the SSL VPN gateway only provides the external with one network interface, i.e. as shown in FIG. 3 , the SSL VPN gateway provides the external, i.e. the Internet and the MPLS network respectively, with one network interface.
- the SSL VPN gateway can not bind physical interfaces with VPNs as common PE routers do, so as to differentiate different VPN users by using entrance interfaces of packets.
- the SSL VPN gateway is configured between the Internet and a local area network, and packets received from users have already been transmitted through the Internet and thus do not carry VLAN access information.
- different VPN users can not be differentiated according to the VLAN access information carried by the packets, either.
- the SSL VPN gateway maintains some authentication and authorization information of the users, and thus different users are differentiated by using the authentication and authorization information of the users in the embodiments of the present invention.
- the SSL VPN gateway functioning as the PE router needs to have functions of both the SSL VPN gateway and the PE router, and thus the SSL VPN gateway also needs to perform conversion between SSL messages and MPLS messages, and needs to allow the remote access to the MPLS VPN by using one of or any combination of three access modes of the SSL VPN.
- the embodiment of the present invention provides a method for remotely accessing an MPLS VPN, and the method includes the following steps.
- A multiple virtual interfaces are established in an SSL VPN gateway, one VPN is bound with one virtual interface, and VPN instances are formed according to the virtual interfaces bound with the VPNs.
- the VPNs bound with the virtual interfaces are MPLS VPNs.
- the two kinds of VPNs will not be differentiated hereinafter and are called by a joint name VPNs.
- Different VPN users are differentiated according to authentication and authorization information of the users, so that SSL VPN users are differentiated and directed to different MPLS VPNs. And then the authentication and authorization information of a user is bound with a corresponding VPN.
- a user x performs information interaction with the SSL VPN gateway, and establishes a connection related to the remote access.
- the SSL VPN gateway receives a packet sent by the user x through an SSL connection, adds a VPN label and an MPLS forwarding label to the received packet according to a VPN instance bound with the authentication and authorization information of the user x, and sends the packet to a VPN resource server through an MPLS network.
- the SSL VPN gateway receives a response packet from the VPN resource server, searches for a VPN instance according to a VPN label carried by the response packet, and forwards the response packet to the user x through the SSL connection according to the found VPN instance.
- the virtual interfaces are established and are respectively bound with the VPNs, and each VPN is bound with one virtual interface so that the VPN instances corresponding to different VPNs are formed and are used when the packets are forwarded.
- the SSL VPN gateway provides only one physical interface for the users, by incorporating characteristics of the SSL VPN gateway, the authentication and authorization information of the users is used to differentiate different VPN users, so that the users can be differentiated when the SSL VPN gateway provides only one physical interface for the users. Further, packets can be forwarded by using corresponding VPN instances, and thereby the remote user can access the VPN resource in the MPLS VPN.
- different VPN users are differentiated by user groups which are indicated in the authentication and authorization information and which users belong to.
- user groups which are indicated in the authentication and authorization information and which users belong to.
- public users this kind of users can also be differentiated by using, for example, the user groups indicated in the authentication and authorization information.
- different VPN users may be differentiated by using one or any combination of the user groups, virtual areas and roles indicated in the authentication and authorization information.
- the MPLS VPN and the SSL VPN should be configured firstly.
- Related configurations of the MPLS VPN are the same as those of regular MPLS VPNs, and will not be described herein.
- Related configurations of the SSL VPN include the following steps.
- each address pool corresponds to one VPN; the address pools are used only in the IP access mode.
- the virtual interface may be an SSL VPN Virtual Ethernet (SVE) interface, called virtual interface for short, or may be a Loopback interface.
- SVE SSL VPN Virtual Ethernet
- the SVE interface is taken as an example.
- Each VPN instance includes a routing forwarding table and an MPLS label forwarding table.
- the routing forwarding table includes two kinds of routes, one is for indicating an exit interface through which a packet received from the VPN resource servers is to be forwarded, and the other is for indicating an exit interface through which a packet received from the users is to be forwarded.
- the first kind of routes include two routes. One is used in the TCP/WEB access mode, and the other route is used in the IP access mode, which will be described in detail below.
- the MPLS label forwarding table includes two kinds of table entries, one is a mapping relation between VPNs and VPN labels (inner layer labels), and the other is for indicating next hop P router information and an MPLS forwarding label for a packet received from the users.
- the virtual interface is authorized to the user.
- the authorization operation is to bind the virtual interface with the user group. Because the virtual interface is bound with the VPN in step 2, the user group, the virtual interface and the VPN instance are in a binding relation after step 4. Regarding which virtual interface is bound with which user group, it should be determined according to the VPN resource which the user group is allowed to access. For example, a user group 1 is allowed to access resources in VPN1, and then a virtual interface corresponding to the VPN1 is bound with the user group 1. Those skilled in the art can easily understand the forming of the binding relation.
- UVR User to VPN relation table
- the UVR table includes the following fields: a user ID, a user group, a virtual interface, a bound VPN instance.
- the field of the bound VPN instance in table 1 further includes an index of a VPN label.
- Table 1 is the UVR table formed according to the networking structure shown in FIG. 3 .
- a user1 belongs to a user group Vpn1group, the user group Vpn1group is bound with a virtual interface SVE1/0, the VPN instance bound with the SVE1/0 is a VPN1 instance, and the label index of the VPN1 instance is 1.
- a user2 is similar to the user1.
- a user3 is a common user and does not belong to any VPN.
- the user3 belongs to a public user group (Pubgroup), and no virtual interface or VPN instance is bound with the Pubgroup, thus the field of the bound VPN instance records, for example, PUBLIC(0).
- the VPN instances corresponding to different VPNs are formed in the SSL VPN gateway.
- the VPN instances corresponding to the VPN1 and the VPN2 are taken as an example. In the VPN instances described below, only the fields closely related to the embodiments of the present invention are listed and unrelated fields are omitted.
- the routing forwarding table of the VPN includes:
- Routing forwarding table of the VPN1 contents of the Routing Table are the first kind of routes, and this kind of routes includes two routes.
- a destination address of the first route is the virtual interface SVE1/0 bound with the VPN1 and the network segment which the address pool belongs to, 10.1.1.0/24, and a next hop of the first route is an IP address of the virtual interface SVE1/0, 10.1.1.1.
- This route is applicable to the IP access mode.
- the next hop is determined as 10.1.1.1, i.e. the virtual interface SVE1/0, and then the packet is directly forwarded through the virtual interface SVE1/0. How to use this route in the IP access mode will be described hereinafter.
- a destination address of the second route is an IP address of the virtual interface SVE1/0 bound with the VPN1, 10.1.1.1/32, and a next hop of the second route points to an InLoopBack0 interface address 127.0.0.1.
- This route is applicable to the TCP/WEB access mode.
- the next hop is determined as 127.0.0.1, i.e. the packet destines locally, and then an IP layer directly forwards the packet to the SSL VPN service module in an application layer through a TCP layer to be processed and forwarded. How to use this route in the TCP/WEB access mode will be described hereinafter.
- contents of the VPN Routing Table are the second kind of routes.
- the second kind of routes include such a route: a destination address of the route is the network segment which the VPN resource server belongs to, 10.3.1.0/24, and a next hop of the route is an address of an opposite PE device connected with the SSL VPN gateway through a BGP connection, where 3.3.3.9 is a loopback interface address of the opposite PE device.
- This route is applicable to any access mode.
- the next hop is determined as 3.3.3.9.
- Configurations of the VPN routing forwarding table of the VPN2 are similar to thoes of the VPN1, and will not be described in detail again.
- the MPLS label forwarding table of the VPN includes:
- Vpn-instance Name Contents of Vpn-instance Name are a forwarding table entry
- a Forwarding Equivalent Class (FEC) of the forwarding table entry is the network segment 10.3.1.0/24 which the VPN resource server belongs to
- a next hop of the forwarding table entry is an IP address of the first P router through which a path from the SSL VPN gateway to the VPN resource server passes, 172.1.1.2.
- the forwarding table entry is applicable to any access mode, when a packet from a user matches 10.3.1.0/24, the next hop is determined as 172.1.1.2, so that the packet is forwarded to a correct P router.
- a remote user user1 accesses an MPLS VPN through an SSL connection in the TCP/WEB access mode. It is supposed that a public network IP address of a remote host used by the user1 is 60.191.123.8, that a public network IP address of an SSL VPN gateway is 220.189.204.90, that a private IP address of a virtual interface SVE1/0 bound with VPN1 in the SLL VPN gateway is 10.1.1.1, and that a network segment where a VPN resource that the user1 is allowed to access is located is 10.3.1.0/24.
- the address of the remote host used by the user1 is called the address of the user, and operations performed by the user through the remote host are all regarded as operations of the user.
- FIG. 4 is a flowchart of accessing an MPLS VPN by a remote user through an SSL connection in a TCP/WEB access mode according to a first embodiment of the present invention. As shown in FIG. 4 , the accessing includes the following.
- Step 401 a user1 sends a logon and authentication request to an SSL VPN gateway.
- Step 402 the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway determines a VPN to which the user1 belongs according to a user group to which the user1 belongs, and then returns a user resource page to the user1.
- the user resource page includes VPN resource information that the user1 is allowed to access.
- the user1 belongs to a user group Vpn1group, and thus the user1 belongs to the VPN1.
- determining the VPN to which the user1 belongs according to the user group to which the user1 belongs may be implemented by using common modes in conventional SSL VPN technologies or by using the UVR table configured in the present invention.
- Step 403 when the user1 requests accessing a VPN resource server, an SSL connection is established between the user1 and the SSL VPN gateway, and the user1 sends a user ID and a VPN resource ID requested to be accessed to the SSL VPN gateway through the SSL connection established.
- Step 404 the SSL VPN gateway determines an IP address of the VPN resource server to which the VPN resource requested to be accessed belongs according to the VPN resource ID sent by the user1, and the IP address is supposed to be 10.3.1.1; meanwhile, the SSL VPN gateway searches out a virtual interface SVE1/0 bound with the Vpn1group of the user1 from the UVR table, establishes a TCP connection between the virtual interface SVE1/0 (10.1.1.1) and the VPN resource server requested to be accessed (10.3.1.1), and maintains a bidirectional connection relation table which is called an SSL-TCP (ST) table for short.
- ST bidirectional connection relation table
- the SSL VPN gateway searches the UVR table for a VPN instance to which the user1 belongs, the VPN instance being VPN1, adds a VPN instance label index 1 for the socket, and then initiates a TCP connection to 10.3.1.1.
- a TCP module in the TCP layer may add the VPN instance label index 1 to a TCP connection request packet according to the VPN instance label index of the socket.
- the operation of adding the VPN instance label index to the packet is to record the VPN instance label index in packet attributes, rather than to add the VPN instance label index in front of an IP packet.
- an MPLS module two layers of labels are added in front of the IP packet.
- an IP module searches out a corresponding VPN1 instance according to the VPN instance label index 1 of the packet, searches for a forwarding path according to a destination address 10.3.1.1 in the found VPN1 instance, determines that the packet is to be forwarded by the MPLS, and sends the packet to the MPLS module.
- the MPLS module searches out a VPN label 1024 of the VPN1 according to the VPN instance label index 1 of the packet, performs matching in an MPLS label forwarding table of the VPN1 instance according to the VPN instance label index 1 and the destination address of the packet, 10.3.1.1, and obtains an MPLS label forwarding table entry in which the FEC of the VPN1 instance is 10.3.1.0/24. And thus, a next hop and an MPLS forwarding label 1026 are obtained.
- the MPLS module adds the VPN label 1024 and the MPLS forwarding label 1026 to the TCP connection request packet, sends the packet to an opposite resource server according to the next hop.
- the interface bound with the VPN instance is SVE1/0, and thus a source address of a newly-established TCP connection is the IP address of the SVE1/0, a destination address is 10.3.1.1. Packets sent subsequently by the user1 will be sent through the TCP connection.
- Step 405 the user1 sends a user resource request packet to the SSL VPN gateway through the SSL connection.
- the user resource request packet is shown as a packet ⁇ circle around ( 1 ) ⁇ in FIG. 4 , and the packet ⁇ circle around ( 1 ) ⁇ includes a public network IP header, a TCP header and a data part.
- the packet ⁇ circle around ( 1 ) ⁇ includes a public network IP header, a TCP header and a data part.
- descriptions of the TCP header is omitted, which do not affect description of the forwarding process.
- a source address and a destination address of the public network IP header respectively are a public network IP address of the user1, 60.191.123.8, and a public network IP address of the SSL VPN gateway, 220.189.204.90.
- Step 406 when receiving the user resource request packet sent by the user1 through the SSL connection, the SSL VPN gateway determines to directly forward the user resource request packet through the TCP connection established for the user1.
- the TCP layer adds the VPN instance label index to the packet according to information of the TCP connection established for the user1; then, according to the VPN instance label index of the packet, the MPLS module adds the VPN label 1024 and the MPLS forwarding label 1026 which is needed when forwarding the packet, and forwards the packet.
- the multiple modules include a TCP/WEB access mode processing module and a VPN label processing module which are located at an application layer, the TCP module located at the TCP layer, an IP module located at the IP layer, and the MPLS module located between the IP layer and a network interface.
- the TCP/WEB access mode processing module establishes and maintains the ST table when connections related to the remote access are established.
- the step 406 includes the following sub-steps.
- the IP module removes the public network IP header and sends the data part of the packet to the TCP/WEB access mode processing module through the TCP module.
- the TCP/WEB access mode processing module determines to forward the received packet through the TCP connection established for the user1, and sends the packet to the TCP module.
- the TCP module adds a private network IP header to the packet according to information of the TCP connection established, adds the VPN instance label index to the packet according to the VPN instance label index of the socket, and sends the packet to the IP module.
- a private network source address and a private network destination address of the private network IP header are addresses of two ends of the TCP connection respectively, i.e. the private network source address is the IP address of the virtual interface SVE1/0, 10.1.1.1, and the private network destination address is the IP address of the VPN resource server requested to be accessed by the user1, 10.3.1.1.
- the MPLS module searches for the corresponding VPN instance according to the VPN instance label index carried by the packet, adds the VPN label and the MPLS forwarding label to the packet according to the found VPN instance, and forwards the packet. Specifically, the MPLS module learns that the packet belongs to the VPN1 according to the VPN instance label index 1 carried by the packet, obtains the VPN label 1024 from the VPN1, and performs matching in the MPLS label forwarding table according to the private network destination address of the packet.
- the private network destination address is 10.3.1.1 and matches with a forwarding table entry in which the FEC is 10.3.1.0/24. And thus the next hop 172.1.1.2 and the MPLS forwarding label 1026 are obtained. Further, the MPLS module adds the VPN label 1024 and the MPLS forwarding label 1026 to the packet, and sends the packet to a correct P route device according to the next hop 172.1.1.2.
- the packet ⁇ circle around ( 1 ) ⁇ in FIG. 4 is converted to a packet ⁇ circle around ( 2 ) ⁇ .
- the packet ⁇ circle around ( 2 ) ⁇ includes the MPLS forwarding label, the VPN label, the private network IP header and the data part.
- the VPN label is an inner label used for differentiating the VPN to which the packet belongs
- the MPLS label is an outer label used for forwarding in the MPLS network.
- Step 407 the MPLS network forwards the packet to an opposite PE router according to the MPLS forwarding label carried by the packet.
- Step 408 the opposite PE router forwards the packet to the VPN resource server and returns a response packet of the VPN resource server to the MPLS network.
- Step 409 a P router adjacent to the SSL VPN gateway removes an MPLS forwarding label of the response packet, and sends the response packet to the SSL VPN gateway.
- the response packet sent to the SSL VPN gateway is shown as a packet ⁇ circle around ( 3 ) ⁇ in FIG. 4 .
- the packet ⁇ circle around ( 3 ) ⁇ includes the VPN label, the private network IP header and the data part.
- the private network source address and destination address in the private network IP header are 10.3.1.1 and 10.1.1.1 respectively, and the VPN label is 1024.
- Step 410 the SSL VPN gateway searches for a corresponding VPN instance according to the VPN label carried by the response packet, performs matching in the found VPN instance according to the private network destination address of the response packet to obtain a second routing forwarding table entry in the above VPN1 instance, and obtains a next hop which is an inner loopback interface address, 127.0.0.1, and then directly forwards the received response packet to an upper layer application, i.e. to the TCP/WEB access mode processing module in the application layer. After finishing the processing, the TCP/WEB access mode processing module forwards the response packet to the user1 through the SSL connection between the TCP/WEB access mode processing module and the user1.
- step 410 includes the following sub-steps.
- the MPLS module determines that the response packet belongs to the VPN1 according to the VPN label 1024 carried by the response packet, and then sends information of the VPN1 and the response packet without the VPN label to the IP module.
- the IP module obtains the VPN1 instance according to the information of the VPN1 to which the response packet belongs, and performs matching according to the private network destination address of the response packet 10.1.1.1. Detailed contents of the VPN1 instance have already been described before. Herein a routing forwarding table entry in which the destination address is 10.1.1.1/32 in the VPN1 instance is obtained through the matching. The IP module obtains a next hop which is an inner loopback interface address 127.0.0.1 from the routing forwarding table entry obtained through the matching, then directly forwards the response packet without the private network IP header to the TCP/WEB access mode processing module in the application layer through the TCP module.
- the TCP/WEB access mode processing module determines that the response packet received from the TCP connection is to be forwarded to the user1 through the SSL connection, and forwards the response packet to the TCP module.
- the TCP module adds the public network IP header to the response packet according to the information of the SSL connection, and forwards the response packet to the IP module.
- the IP module searches for a public network route according to the destination address, so as to forward the response packet to the user1 through the SSL connection.
- the response packet sent to the user1 is shown as a packet ⁇ circle around ( 4 ) ⁇ in FIG. 4 .
- the packet ⁇ circle around ( 4 ) ⁇ includes the public network IP header and the data part.
- a remote user accesses an MPLS VPN through an SSL connection in the IP access mode. It is supposed that a public network IP address of a remote host used by the user1 is 60.191.123.8, that a public network IP address of an SSL VPN gateway is 220.189.204.90, that a private IP address of a virtual interface SVE1/0 bound with VPN1 in the SSL VPN gateway is 10.1.1.1, and that a network segment which a VPN resource that the user1 is allowed to access belongs to is 10.3.1.0/24.
- FIG. 5 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in an IP access mode according to a second embodiment of the present invention. As shown in FIG. 5 , the method includes the following steps.
- Step 501 a user1 sends a logon and authentication request to an SSL VPN gateway.
- Step 502 the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway determines that the user1 belongs to VPN1 according to a user group Vpn1group which the user1 belongs to, and then returns a user resource page to the user1.
- the SSL VPN gateway randomly allocates one IP address to the user1 from an address pool configured for the VPN which the user1 belongs to, and the IP address is the virtual address of the user1. In the embodiment, it is supposed that the virtual address allocated to the user1 is 10.1.1.2.
- Step 503 an SSL connection is established between the user1 and the SSL VPN gateway when the user1 requests accessing a VPN resource server; in the IP access mode, the SSL VPN gateway needs to maintain a relation table of users, virtual addresses and SSL connections, which is called a User-Virtual IP-SSL (UVS) table. Since the gateway does not need to maintain the connection between the gateway and the VPN resource server in the IP access mode, the user1 only needs to send a user ID to the SSL VPN gateway through the SSL connection established.
- UVS User-Virtual IP-SSL
- Step 504 the user1 sends a user resource request packet to the SSL VPN gateway through the SSL connection.
- the user resource request packet is shown as a packet ⁇ circle around ( 1 ) ⁇ in FIG. 5 , different from the first embodiment, the packet ⁇ circle around ( 1 ) ⁇ includes not only a public network IP header and data part, but also a private network IP header (the TCP header is also omitted).
- a source address and a destination address of the public network IP header are respectively a public network IP address of the user1, 60.191.123.8, and a public network IP address of the SSL VPN gateway, 220.189.204.90;
- a source address and a destination address of the private network IP header are respectively the virtual address of the user1, 10.1.1.2, and the private network IP address of the VPN resource server requested to be accessed, 10.3.1.1.
- Step 505 when receiving the user resource request packet sent by the user1, the SSL VPN gateway determines that the packet is from the user1 according to the UVS table, and further determines the VPN which the user1 belongs to by searching the UVS table.
- a VPN instance label index is added to the packet according to a VPN instance of the VPN which the user1 belongs to; and then an MPLS module adds a VPN label and an MPLS forwarding label according to the VPN instance label index of the packet, and forwards the packet.
- the forwarding in this step is MPLS forwarding concurrent with common IP forwarding.
- the multiple modules include an IP access mode processing module 1 located at an application layer, an IP access mode processing module 2 located at the IP layer, a TCP module located at a TCP layer, and the MPLS module located between the IP layer and a network interface.
- the IP access mode processing module 1 located at the application layer maintains the SSL connection and the UVS table
- the IP access mode processing module 2 located at the IP layer processes the forwarding.
- the IP access mode processing modules 1 and 2 are actually one module operating at the application layer and the IP layer simultaneously, and are called two modules for understanding convenience. The two modules share data. Thus, when data arrives at the IP access mode processing module 1, it also arrives at the IP access mode processing module 2, and vice versa.
- the step 505 includes the following sub-steps.
- the IP module removes the public network IP header and sends the packet with the private network IP header and the data part to the IP access mode processing module 1 through the TCP module; the IP access mode processing module 1 sends the packet to the IP access mode processing module 2.
- the IP access mode processing module 2 determines that the packet is from the user1 by searching the UVS table, and further determines to forward the packet in a direct IP forwarding mode; the packet is then sent to a VPN label processing module in the IP layer.
- the VPN label processing module determines that the Vpn1grougp of the user1 is bound with a VPN1 instance and learns that the VPN instance label index of the VPN1 instance is 1; then, adds the VPN instance label index 1 to the IP packet obtained by parsing, and forwards the packet to the IP module.
- the IP module performs route searching according to the destination address of the packet, determines that the packet is to be forwarded by the MPLS, and forwards the packet to the MPLS module.
- the MPLS module searches for a corresponding VPN instance according to the VPN instance label index carried by the packet, adds a VPN label and an MPLS forwarding label to the packet according to the found VPN instance, and forwards the packet. This step is the same as step c5 in the first embodiment.
- the packet ⁇ circle around ( 1 ) ⁇ in FIG. 5 is converted to a packet ⁇ circle around ( 2 ) ⁇ .
- the packet ⁇ circle around ( 2 ) ⁇ includes the MPLS forwarding label, the VPN label, the private network IP header and the data part.
- the private network source address in the packet ⁇ circle around ( 2 ) ⁇ of this embodiment is the virtual address of the user1, 10.1.1.2.
- Step 506 the MPLS network forwards the packet to an opposite PE router according to the MPLS forwarding label carried by the packet.
- Step 507 the opposite PE router forwards the packet to the VPN resource server and returns a response packet of the VPN resource server to the MPLS network.
- Step 508 a P router adjacent to the SSL VPN gateway removes an MPLS forwarding label of the response packet, and sends the response packet to the SSL VPN gateway.
- the response packet sent to the SSL VPN gateway is shown as a packet ⁇ circle around ( 3 ) ⁇ in FIG. 5 .
- the packet ⁇ circle around ( 3 ) ⁇ includes the VPN label, the private network IP header and the data part.
- the private network source address and destination address in the private network IP header are respectively 10.3.1.1 and 10.1.1.2
- the VPN label is 1024.
- Step 509 the SSL VPN gateway searches for a corresponding VPN instance according to the VPN label carried by the response packet, performs matching in the found VPN instance according to the private network destination address 10.1.1.2 of the response packet to obtain a first routing forwarding table entry in the above VPN1 instance and a next hop which is a virtual interface SVE1/0, and then directly forwards the response packet to the user1 through the SSL connection via the SVE1/0.
- step 509 includes the following sub-steps.
- the MPLS module determines that the response packet belongs to the VPN1 according to the VPN label carried by the response packet, and then sends information of the VPN1 which the response packet belongs to and the response packet without the VPN label to the IP module.
- the IP module obtains the VPN1 instance according to the information of the VPN1 to which the response packet belongs, and performs routing matching in the VPN1 instance according to the private network destination address 10.1.1.2 of the response packet, and finds a matched routing forwarding table entry in which the destination address is 10.1.1.0/24 in the VPN1 instance; the IP module obtains a next hop which is the IP address 10.1.1.1 of the virtual interface SVE1/0 from the matched routing forwarding table entry; since the destination address is not a local inner interface address, the virtual interface directly forwards the packet after receiving the packet.
- the forwarding function of the virtual interface is implemented by the IP access mode processing module 2 located at the IP layer.
- the IP access mode processing module 2 determines that the response packet is to be forwarded to the user1 through the SSL connection according to the private network destination address, i.e. the virtual address 10.1.1.2 in the response packet, and according to the UVS table; and then forwards the response packet to the IP access mode processing module 1 located at the application layer.
- the IP access mode processing module 1 sends the packet to the TCP module.
- the TCP module adds a public network IP header to the response packet according to the information of the SSL connection, and forwards the response packet to the IP module.
- the IP module searches for a public network route, so as to forward the response packet to the user1 through the SSL connection.
- the response packet sent to the user1 is shown as a packet ⁇ circle around ( 4 ) ⁇ in FIG. 5 .
- the packet ⁇ circle around ( 4 ) ⁇ includes the public network IP header, the private network IP header and the data part.
- the first embodiment is a solution supporting the TCP and/or WEB access mode
- the second embodiment is a solution supporting the IP access mode.
- the TCP access mode, the WEB access mode and the IP access mode may coexist, or only two of the three are supported at the same time.
- the processing for a public network user, user3, is the same as the processing in the conventional SSL VPN gateway.
- the SSL VPN gateway searches the UVR table and determines that the user3 belongs to the user group Pubgroup and is not bound with any VPN, and thus determines that a packet of a public user is received and does not add any label, but directly sends the packet to the VPN resource server through a public route, also called a global route.
- the SSL VPN gateway sends the packet to an upper layer through the global route to be sent through the SSL connection, or directly sends the packet via the virtual interface through the SSL connection.
- the gateway is applicable to this kind of systems in which a remote user accesses a VPN resource server in an MPLS VPN through an SSL connection between the remote user and the gateway.
- the gateway also functions as an SSL VPN gateway in an SSL VPN and a PE router in the MPLS VPN.
- the gateway is called an SSL VPN gateway.
- FIG. 6 is a schematic diagram illustrating a structure of an SSL VPN gateway according to an embodiment of the present invention.
- the SSL VPN gateway includes a configuration unit (also called a WMI unit), a first network interface, a second network interface, a processing unit, a VPN instance storing unit (also called a VRF unit) and a relation storing unit (also called a UVR unit).
- a configuration unit also called a WMI unit
- a first network interface also called a second network interface
- a processing unit also called a VPN instance storing unit
- VRF unit VPN instance storing unit
- UVR unit relation storing unit
- the WMI unit is adapted to establish multiple virtual interfaces, one virtual interface being bound with one VPN and VPN instances being formed according to the virtual interfaces bound with the VPNs; save the VPN instances in the VRF unit; differentiate different VPN users according to authentication and authorization information of the users; bind the authentication and authorization information of the users with corresponding VPNs; and save a binding relation in the UVR unit.
- the WMI unit is adapted to establish a virtual interface for an address pool established by each VPN, the address pool and the corresponding VPN belonging to the same network segment and the address pools being used only in the IP access mode.
- the WMI unit is further adapted to form a UVR table as shown in Table 1 according to various binding relations established, and save the UVR table in the UVR unit.
- the VPN instances formed by the WMI unit include a routing forwarding table and an MPLS label forwarding table; contents of the two tables are the same as those described in the method embodiments and are not described herein.
- the UVR unit is adapted to store the binding relation established by the WMI unit.
- the VRF unit is adapted to store the VPN instances.
- the first network interface is adapted to provide a data transmission channel between the SSL VPN gateway where the first network interface is located and a user, and couple a remote host through the Internet.
- the second network interface is adapted to provide a data transmission channel between the SSL VPN gateway where the second network interface is located and an MPLS network, and couple a VPN resource server through the MPLS network.
- the processing unit is adapted to perform information interaction with the user1 and establish connections related to remote access.
- the processing unit is adapted to obtain a VPN instance bound with a user group which the user1 belongs to, i.e. a VPN1 instance, from the VRF unit according to the binding relations stored in the UVR unit; add a VPN label 1024 and an MPLS forwarding label 1026 to the packet by using the VPN1 instance; and send the packet to the VPN resource server through the MPLS network.
- the processing unit When receiving a response packet from the VPN resource server, the processing unit is adapted to search for a corresponding VPN instance in the VRF unit according to a VPN label 1024 carried by the response packet, and forward the response packet to the user1 through the SSL connection between the processing unit and the user1 according to the found VPN instance.
- the processing unit When the VPN resource server is accessed in the TCP or WEB mode, the processing unit is further adapted to establish an SSL connection between the user1 and the SSL VPN gateway when establishing the connections related to remote access, establish a TCP connection between a virtual interface SVE1/0 and the VPN resource server requested to be accessed for the user1, and maintain an ST table.
- the processing unit In the process of establishing the TCP connection, the processing unit is adapted to add a VPN instance label index 1 to a Socket of the established TCP connection according to a VPN instance bound with authentication and authorization information of the user1.
- the processing unit When receiving a packet sent by the user1 through the SSL connection, the processing unit is adapted to add the VPN instance label index 1 to the received packet at the TCP layer according to information of the TCP connection established for the user1. And then an MPLS module in the processing unit is adapted to search out a VPN1 instance according to the VPN instance label index 1, add a VPN label 1024 and an MPLS forwarding label 1026 to the packet according to the VPN instance label index of the packet, and forward the packet to the VPN resource server S1 through the TCP connection established for the user1.
- the processing unit When receiving a response packet through the TCP connection, the processing unit is adapted to search for a corresponding VPN instance according to a VPN label 1024 carried by the response packet, perform matching in the found VPN instance according to the private network destination address 10.1.1.1 of the response packet to obtain a second routing forwarding table entry in the VPN1 instance and a next hop which is an inner loopback interface address 127.0.0.1, and directly forward the response packet received to an upper layer application. And the upper layer application sends the response packet to the user1 through the SSL connection.
- the WMI unit When the VPN resource server is accessed in the IP access mode, the WMI unit is further adapted to establish a virtual interface for the address pool established by each VPN when establishing the multiple virtual interfaces.
- the address pool and the virtual interface corresponding to the address pool belong to the same network segment.
- the processing unit is further adapted to allocate one virtual address 10.1.1.2 for the user1 from the address pool configured for the VPN which the user1 belongs to when establishing the connections related to the remote access, and establish the SSL connection between the user1 and the SSL VPN gateway.
- the processing unit is further adapted to, when receiving a packet carrying a private network IP header (the private network source address is 10.1.1.2) sent by the user1 through the SSL connection, add the VPN instance label index 1 to the received packet at the IP layer according to the VPN1 instance bound with the user group which the use1 belongs to, and then the MPLS module in the processing unit is adapted to add a VPN label 1024 and an MPLS forwarding label 1026 to the packet according to the VPN instance label index 1.
- a private network IP header the private network source address is 10.1.1.2
- the processing unit is further adapted to, when receiving a response packet, search for a corresponding VPN instance according to the VPN label 1024 carried by the response packet, perform matching in the found VPN instance according to the private network destination address of the response packet 10.1.1.1 to obtain a first routing forwarding table entry in the VPN1 instance and a next hop which is an IP address 10.1.1.1 of a virtual interface SVE1/0, and forward the response packet to the user1 through the SSL connection by using the virtual interface SVE1/0.
- the processing module is described hereinafter in detail.
- the processing module includes an SSL VPN service module, a VPN label processing module, a TCP module, an IP module and an MPLS module.
- the SSL VPN service module includes one or a combination of a TCP/WEB access mode processing module and an IP access mode processing module according to an access mode supported by the SSL VPN gateway.
- FIG. 7 is a schematic diagram illustrating a structure of an SSL VPN gateway when a VPN resource server is accessed by using a TCP/WEB mode according to an embodiment of the present invention.
- the processing unit includes a TCP/WEB access mode processing module and a VPN label processing module which are located at an application layer, a TCP module located at a TCP layer, an IP module located at an IP layer, and an MPLS module located between the IP layer and a network interface.
- the TCP/WEB access mode processing module is adapted to return a user resource page to the user1 when the user1 requests logon and authentication; when the user1 requests accessing the VPN resource server S1, establish the SSL connection between the user1 and the SSL VPN gateway, establish a TCP connection between the virtual interface SVE1/0 and the VPN resource server S1, and maintain a ST table.
- the VPN label processing module is adapted to add the VPN instance label index 1 to a socket of the TCP connection according to the VPN1 instance bound with the user group which the user1 belongs to.
- the IP module is adapted to remove the public network IP header of the packet, and send the data part of the packet to the TCP/WEB access mode processing module through the TCP module.
- the TCP/WEB access mode processing module is further adapted to determine to forward the received packet through the TCP connection established for the user1 according to the ST table, and send the packet to the TCP module.
- the TCP module is adapted to add the private network IP header to the packet according to information of the TCP connection established for the user1, add the VPN instance label index 1 to the packet according to the VPN instance label index 1 of the socket, and send the packet to the IP module.
- the IP module is adapted to perform route searching, i.e. search out a corresponding VPN1 instance according to the VPN instance label index 1 of the packet, search for a forwarding path in the VPN routing table and the label forwarding table so as to determine that the packet is to be forwarded by the MPLS, and send the packet to the MPLS module.
- route searching i.e. search out a corresponding VPN1 instance according to the VPN instance label index 1 of the packet
- search for a forwarding path in the VPN routing table and the label forwarding table so as to determine that the packet is to be forwarded by the MPLS, and send the packet to the MPLS module.
- the MPLS module is adapted to search out a corresponding VPN1 instance in the VRF unit according to the VPN instance label index 1 carried by the packet, add the VPN label 1024 and the MPLS forwarding label 1026 to the packet according to the found VPN1 instance, and forward the packet.
- the MPLS module is adapted to determine the VPN to which response packet belongs according to the VPN label 1024 carried by the response packet, and send information of the VPN1 which the response packet belongs to and the response packet without the VPN label to the IP module.
- the IP module is adapted to obtain the corresponding VPN instance from the VRF unit according to the information of the VPN which the response packet belongs to, perform matching in the VPN1 instance according to the private network destination address 10.1.1.2 of the response packet to obtain a second routing forwarding table entry in the VPN1 instance and a next hop which is an inner loopback interface address 127.0.0.1, and directly forward the response packet without the private network IP header to the TCP/WEB access mode processing module through the TCP module.
- the TCP/WEB access mode processing module is adapted to determine according to the ST table that the response packet received through the TCP connection is to be forwarded to the user1 through the SSL connection, and forward the response packet to the TCP module.
- the TCP module is adapted to add the public network IP header to the response packet according to the information of the SSL connection, and forward the response packet to the IP module.
- the IP module is adapted to search for the public network route and forward the response packet to the user1.
- FIG. 8 is a schematic diagram illustrating a structure of an SSL VPN gateway when a VPN resource server is accessed by using an IP mode according to an embodiment of the present invention.
- the processing unit includes an IP access mode processing module 1 located at an application layer, an IP access mode processing module 2 and a VPN label processing module which are located at an IP layer, a TCP module located at a TCP layer, an IP module located at an IP layer and an MPLS module located between the IP layer and a network interface.
- the IP access mode processing module 1 is adapted to return a user resource page to the user1 when the user1 requests logon and authentication, and allocate one virtual address 10.1.1.2 for the user1 from an address pool configured for a VPN to which the user1 belongs; when the user1 requests accessing a VPN resource server, establish an SSL connection between the user1 and the SSL VPN gateway, and maintain a UVS table.
- the UVS table is shared with the IP access mode processing module 2 .
- the IP module is adapted to remove a public network IP header of the packet, and send the packet containing the private network IP header and the data part to the IP access mode processing module 1 located at the application layer through a TCP module.
- the IP access mode processing module 1 sends the packet to the IP access mode processing module 2 located at the IP layer.
- a private network source address is a virtual address of the user1, 10.1.1.2.
- the IP access mode processing module 2 is adapted to determine, according to the UVS table, to forward the packet in a direct IP forwarding mode, and send the packet to the VPN label processing module.
- the VPN label processing module is adapted to determine that a VPN bound with a user group to which the user1 belongs is a VPN1 according to a binding relation stored in the UVR unit, add a VPN instance label index 1 to the packet, and send the packet to the IP module.
- the IP module is adapted to determine, by using route searching, that the packet is to be forwarded by MPLS; and send the packet to the MPLS module.
- the MPLS module is adapted to search for a corresponding VPN instance according to the VPN instance label index 1 carried by the packet, add a VPN label 1024 and an MPLS forwarding label 1026 to the packet according to the found VPN1 instance, and send the packet.
- the MPLS module is adapted to determine a VPN to which the response packet belongs according to a VPN label 1024 carried by the response packet, and send information of the VPN which the response packet belongs to and the response packet without the VPN label to the IP module.
- the IP module is adapted to obtain a corresponding VPN instance from the VRF unit according to the information of the VPN which the response packet belongs to; perform route matching according to a private network destination address of the response packet, i.e. according to the virtual address of the user1, to obtain a first routing forwarding table entry in the VPN1 instance and a next hop which is SVE1/0; and forward the response packet to the virtual interface SVE1/0 according to the first routing forwarding table entry.
- the forwarding function of the virtual interface SVE1/0 is implemented by the IP access module processing module 2 located at the IP layer, i.e. the response packet is forwarded to the IP access module processing module 2 .
- the IP access mode processing module 2 is adapted to determine to forward the response packet via the virtual interface SVE1/0 through the SSL connection with the user1 according to the UVS table, and send the response packet to the TCP module.
- the TCP module is adapted to add a public network IP header to the response packet according to information of the SSL connection, and send the response packet to the IP module.
- the IP module is adapted to send the response packet to the user1 by searching for a public network route.
- the present invention further provides a system for remotely accessing an MPLS VPN.
- the system includes a remote host used by a user, an Internet, an SSL VPN gateway, an MPLS VPN and a VPN resource server in the MPLS VPN.
- the remote host remotely accesses the VPN resource server in the MPLS VPN through the SSL connection between the remote host and the SSL VPN gateway.
- the SSL VPN gateway also functions as a PE router of the MPLS VPN and may be any kind of SSL VPN gateways described in the above embodiments.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- The present invention relates to Secure Socket Layer Virtual Private Network (SSL VPN) technologies and Multi-Protocol Label Switching Virtual Private Network (MPLS VPN) technologies, and more particularly to a method and system for remotely accessing an MPLS VPN, and a gateway applied to the system.
- Secure Socket Layer Virtual Private Network (SSL VPN) is a Virtual Private Network (VPN) technology which implements remote access by using a Secure Socket Layer (SSL) encryption connection.
FIGS. 1A and 1B show diagrams illustrating network structures of the SSL VPN. As shown inFIG. 1A , an SSL connection is established between a remote host and an SSL VPN gateway, and packets are transmitted on the Internet in an encryption mode. The SSL VPN gateway terminates the SSL connection, transmits a request from the remote host in a plain language mode through a Transmission Control Protocol (TCP) connection established between the SSL VPN gateway and a VPN resource server of an inner network or through direct IP forwarding, and transmits a response of a server to the remote host through the SSL connection - Remote access modes of users include a TCP access mode, a WEB access mode and an IP access mode. Remote access processes of the TCP access mode and the WEB access mode are the same, while are a little different from a remote access process of the IP access mode. Specifically, in the TCP/WEB (“/” indicates “or”) access mode, the remote access process includes the following steps.
- Step A, a user1 performs information interaction with an SSL VPN gateway, and establishes a connection related to a remote access. Step A specifically includes the following.
- a1: through a remote host, the user1 requests the SSL VPN gateway to perform logon and authentication; the SSL VPN gateway returns a user resource page to the user1 after the used passes the logon and authentication, and the user resource page includes VPN resource information that the used is allowed to access.
- a2: through the remote host, the user1 establishes an SSL connection with the SSL VPN gateway when requesting accessing a VPN resource; in the TCP/WEB access mode, the gateway needs to maintain a bidirectional connection relation table, i.e. the SSL connection between the SSL VPN gateway and the user host and a TCP connection between the SSL VPN gateway and a VPN resource server; hence, the used sends a user identity (ID) and an ID of the VPN resource requested to be accessed to the SSL VPN gateway through the SSL connection established. The user ID is used to identify a user, and the ID of the VPN resource is used to indicate the resource requested to be accessed.
- a3: according to the ID of the VPN resource, the SSL VPN gateway establishes and maintains the TCP connection between the SSL VPN gateway and a
VPN resource server 1 to which the VPN resource requested to be accessed belongs for the user1. Two ends of the TCP connection established for the used are: a private network address of a physical exit interface on the SSL VPN gateway, 172.1.1.1, and a private network address of theVPN resource server 1, 10.3.1.1. - Step B, after the connection related to the remote access is established, the user1 sends a packet to the SSL VPN gateway through the SSL connection, and the SSL VPN gateway sends the packet received through the SSL connection to the
VPN resource server 1 through the TCP connection established for the user1. - In the TCP/WEB access mode, the user1 does not need to know the address of the VPN resource server, thus the packet sent from the user1 to the SSL VPN gateway merely carries a public network IP header. In the packet sent by the user1, such as packet {circle around (1)} shown in
FIG. 1A , a public network source address in the public network IP header is a public network address of a remote host used by the user1, 60.191.123.24, and a public network destination address in the public network IP header is a public network address of the SSL VPN gateway, 220.189.204.90. - The core component of the SSL VPN gateway is an SSL VPN service unit. The SSL VPN service unit includes three modules, a TCP access mode processing module, a WEB access mode processing module and an IP access mode processing module. Packet forwarding procedures of the TCP access mode processing module and the WEB access mode processing module are similar, and thus the above two modules may be deemed as one module, i.e. a TCP/WEB access mode processing module. The TCP/WEB access mode processing module operates on an application layer, while the IP access mode processing module operates on both the application layer and an IP layer.
- In the TCP/WEB access mode, the forwarding process in step B includes sub-steps b1˜b3.
- b1: after the packet enters the SSL VPN gateway through the SSL connection, the IP layer removes the public network IP header and sends the data part of the packet to the TCP/WEB access mode processing module located on the application layer via a TCP layer;
- b2: the TCP/WEB access mode processing module determines to forward the received packet through the TCP connection established for the user1 according to the bidirectional connection relation table; in this case, the packet is sent to the TCP layer;
- b3: the TCP layer adds a private network IP header to the packet according to the TCP connection established for the user1 (172.1.1.1 to 10.3.1.1), and sends the packet to the IP layer; where a private network source address and a private network destination address in the private network IP header are 172.1.1.1 and 10.3.1.1 respectively;
- b4: the IP layer performs route searching according to a destination address of the packet, and then forwards the packet via the physical exit interface 172.1.1.1. In the forwarded packet, such as a packet {circle around (2)} shown in
FIG. 1A , the private network source address and the private network destination address in the private network IP header are 172.1.1.1 and 10.3.1.1 respectively. - Step C, the SSL VPN gateway receives a response packet returned by the
VPN resource server 1 through the TCP connection, and returns the response packet to the user1 through the SSL connection. This step equals to a reverse operation of the step B. First, the IP layer removes the private network IP header of the response packet and sends the response packet to the TCP/WEB access mode processing module through the TCP layer, and the TCP/WEB access mode processing module determines to return the response packet through the SSL connection between the user1 and the TCP/WEB access mode processing module. Then, the TCP layer adds a public network IP header to the response packet. And finally, the IP layer performs the route searching and forwards the response packet. - Thus, the remote access in the TCP/WEB access mode is finished.
- When the user1 performs the remote access in the IP access mode, an address pool used for allocating addresses for users needs to be established. The access process still includes the above steps A, B and C, but specific implementation of each step is different.
- In step A, the SSL VPN gateway, besides returning the user resource page, also needs to randomly select one IP address from the address pool and allocate the IP address to the user1 as a source address, i.e. a virtual address used by the user1 when accessing the VPN resource server. It is supposed that the virtual address is 10.1.1.2. When the user1 needs to access the VPN resource, only the SSL connection rather than the TCP connection is established. However, the SSL VPN gateway needs to maintain a relation table of the users, the virtual addresses and the SSL connections, but does not need to know the VPN resource server to be accessed by the user1. Therefore, during the information interaction with the SSL VPN gateway, the user1 only needs to send the user ID to the SSL VPN gateway through the SSL connection established.
- In step B, the user1 still sends the packet to the SSL VPN gateway through the SSL connection, and the packet includes not only the public network IP header as described above, but also a private network IP header. In the packet sent by the user1, such as a packet {circle around (1)} shown in
FIG. 1B , the public network IP header of the packet {circle around (1)} is the same as that shown inFIG. 1A , a private network source address is the virtual address of the user1, 10.1.1.2, and a private network destination address is a private network address of the VPN resource server to be accessed, 10.3.1.1. The private network address of the VPN resource server may be obtained by the user1 in advance. - When the SSL VPN gateway receives the packet, the IP layer removes the public network IP header, and sends the packet to the IP access mode processing module through the TCP layer. The IP access mode processing module determines to transmit the packet directly according to the private network IP header. The packet without the public network IP header may be a packet {circle around (2)} as shown in
FIG. 1B . - In step C, the SSL VPN gateway receives a response packet returned by the
VPN resource server 1; the IP access mode processing mode determines to return the response packet through the SSL connection between the IP access mode processing mode and the user1 according to the relation table of the users, the virtual addresses and the SSL connections; and then the TCP layer adds a public network IP header to the response packet, and the IP layer performs the route searching and forwards the response packet to the user1. - Thus, the remote access in the IP access mode is finished.
- MPLS L3VPN is a Layer 3 (L3) VPN technology based on a Provider Edge (PE) router in VPN solutions of service providers. MPLS L3VPN issues VPN routes in an MPLS network by using a Border Gateway Protocol (BGP), forwards an MPLS packet in the MPLS network by using label forwarding.
FIG. 2 is a schematic diagram illustrating a conventional network structure of an MPLS L3VPN. As shown inFIG. 2 , the MPLS L3VPN model consists of the following three parts. - A Customer Edge (CE) device, called CE for short, has an interface directly connecting with a Provider Edge (PE) router. The CE may be a router, an exchanger or a host. The CE can not “apperceive” existence of the VPN and does not need to support the MPLS.
- A PE router, called PE for short, is an edge device of the MPLS network, and directly connects with the CE. In the MPLS network, all processing of VPN information is maintained in the PE. VPN Routing & Forwarding Instances, called VPN instances, are stored in the PE. A routing forwarding table and an MPLS label forwarding table are included in the VPN instance. The routing forwarding table includes two kinds of routes, one is for indicating an exit interface through which a packet from the CE is to be forwarded, and the other is for indicating an exit interface through which a packet from the P router is to be forwarded. The MPLS label forwarding table includes two kinds of table entries, one is a VPN label (inner layer label) of each VPN, and the other is a forwarding entry, i.e. for indicating next hop P router information and an MPLS forwarding label for a packet from the CE.
- The P router, called P for short, is a backbone router of the MPLS network, does not directly connect with the CE, only needs to have basic MPLS forwarding capability and does not need to maintain VPN information.
- As shown in
FIG. 2 , different physical interfaces of the PE router connect with different CE devices, one physical interface is bound with one VPN, and a VPN instance of the VPN is formed according to the physical interface bound with the VPN. When a packet from a CE device enters through a certain physical interface of the PE, the PE router determines a VPN to which the packet belongs according to the physical interface, and forwards the packet by using the VPN instance of the VPN to which the packet belongs. The forwarding processing includes: searching for an exit interface of the packet according to a routing forwarding table, and searching for a VPN label (inner layer label), an MPLS forwarding label (outer layer label), next hop P device information and the like according to the MPLS label forwarding table; adding a VPN label and an MPLS label to the packet according to the found information, and forwarding the packet. When receiving a packet from the P router, the PE router searches for a VPN instance according to the VPN label contained in the packet, and forwards the packet to the CE device through a physical interface bound with the VPN instance. Conventionally, the PE router may also differentiate different VPN users according to Virtual Local Area Network (VLAN) access information. - When a local area network connecting with the SSL VPN gateway in
FIGS. 1A and 1B adopts the MPLS L3VPN, it is urgently to solve the following problems: how to connect the SSL VPN gateway with a device in the MPLS L3VPN, how to forward a packet received through the SSL connection to the MPLS network so as to make a remote user remotely access a VPN resource server in the MPLS VPN through the SSL connection. However, there is no solution for those problems currently. - An embodiment of the present invention provides a method for remotely accessing an MPLS VPN, so that a remote user can remotely access a VPN resource in the MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway.
- The remote user remotely accesses a VPN resource server in the MPLS VPN through the SSL connection between the remote user and the SSL VPN gateway, and the SSL VPN gateway also functions as a PE router in the MPLS network. And packets received by the SSL VPN gateway from the VPN resource server or transmitted by the SSL VPN gateway to the VPN resource server are transmitted through the MPLS network.
- The method includes steps of:
- A: establishing multiple virtual interfaces in the SSL VPN gateway, one virtual interface being bound with one VPN, and forming VPN instances according to the virtual interfaces bound with VPNs, differentiating different VPN users according to authentication and authorization information of users, and binding the authentication and authorization information of the users with VPNs respectively;
- B: performing, by a user, information interaction with the SSL VPN gateway, and establishing a connection related to a remote access;
- C: receiving, by the SSL VPN gateway, a packet sent by the user x through the SSL connection, adding a VPN label and an MPLS forwarding label to the packet according to a VPN instance bound with authentication and authorization information of the user x, and sending the packet to the VPN resource server through the MPLS network; and
- D: receiving, by the SSL VPN gateway, a response packet from the VPN resource server, searching for a VPN instance according to a VPN label carried by the response packet, and forwarding the response packet to the user through the SSL connection according to the found VPN instance.
- An embodiment of the present invention provides a gateway, functioning as an SSL VPN gateway and a PE router, so that a remote user can remotely access a VPN resource in an MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway. The gateway functions as an SSL VPN gateway in the SSL VPN and a PE router in the MPLS VPN, and includes:
- a configuration unit, a first network interface, a second network interface, a processing unit, a VPN instance storing unit and a relation storing unit;
- wherein the configuration unit is adapted to establish multiple virtual interfaces, one virtual interface being bound with one VPN, form VPN instances according to the virtual interfaces bound with the VPNs, save the VPN instances in the VPN instance storing unit; differentiate different VPN users according to authentication and authorization information of users, bind the authentication and authorization information of the users with corresponding VPNs respectively; save binding relations in the relation storing unit;
- wherein the relation storing unit is adapted to store the binding relations established by the configuration unit;
- wherein the VPN instance storing unit is adapted to store the VPN instances;
- wherein the first network interface is adapted to provide a data transmission channel between the gateway and the users;
- wherein the second network interface is adapted to provide a data transmission channel between the gateway and an MPLS network;
- wherein the processing unit is adapted to perform information interaction with a user and establish a connection related to a remote access; when receiving a packet sent by the user x through the SSL connection, obtain a VPN instance bound with authentication and authorization information of the user x from the VPN instance storing unit according to a binding relation stored in the relation storing unit, add a VPN label and an MPLS forwarding label to the packet by using the VPN instance obtained, send the packet to the VPN resource server through the MPLS network; when receiving a response packet from the VPN resource server, search for a corresponding VPN instance in the VPN instance storing unit according to a VPN label carried by the response packet, and forward the response packet to the user x through the SSL connection according to the found VPN instance.
- An embodiment of the present invention provides a system for remotely accessing an MPLS VPN, so that a remote user can remotely access a VPN resource in the MPLS VPN through an SSL connection between the remote user and an SSL VPN gateway. The system includes any kinds of gateway described above. The system includes the gateway described above.
- As can be seen from the above technical scheme, in order to implement multiple VPN instances when there is only one physical interface, embodiments of the present invention establish virtual interfaces bound respectively with VPNs, and thus each VPN binds with one virtual interface, so that VPN instances corresponding to different VPNs are formed and used when a packet is forwarded.
- In addition, embodiments of the present invention differentiate different VPN users by using authentication and authorization information of users, so that the users can be differentiated when the SSL VPN gateway provides only one physical interface for the users, and thus can further forward the packet by using a corresponding VPN instance, thereby implementing the scheme of remotely accessing the VPN resource in the MPLS VPN by the remote user.
-
FIG. 1A is a schematic diagram illustrating a conventional network structure of an SSL VPN. -
FIG. 1B is a schematic diagram illustrating a conventional network structure of an SSL VPN. -
FIG. 2 is a schematic diagram illustrating a conventional networking structure of an MPLS L3VPN. -
FIG. 3 is a schematic diagram illustrating a network structure when an SSL VPN gateway also functions as a PE router. -
FIG. 4 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in a TCP/WEB access mode according to a first embodiment of the present invention. -
FIG. 5 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in an IP access mode according to a second embodiment of the present invention. -
FIG. 6 is a schematic diagram illustrating a structure of an SSL VPN gateway according to an embodiment of the present invention. -
FIG. 7 is a schematic diagram illustrating a structure of an SSL VPN gateway when an access to a VPN resource server is in a TCP/WEB mode according to an embodiment of the present invention. -
FIG. 8 is a schematic diagram illustrating a structure of an SSL VPN gateway when an access to a VPN resource server is in an IP mode according to an embodiment of the present invention. - In embodiments of the present invention, an SSL VPN gateway also functions as a PE router in an MPLS L3VPN, so as to solve a problem of connecting the SSL VPN gateway and the MPLS L3VPN. The MPLS VPNs described below all indicate the MPLS L3VPN.
-
FIG. 3 is a schematic diagram illustrating a network structure when an SSL VPN gateway also functions as a PE router. As shown inFIG. 3 , a user1 belongs to a VPN1, a user2 belongs to a VPN2, and the two users access VPN resources respectively through different remote hosts; a CE1 and a CE2 are VPN resource servers, a VPN1 resource is configured at the CE1, and a VPN2 resource is configured at the CE2. Data are transmitted between the remote host and the SSL VPN gateway through an SSL connection, and the SSL VPN gateway functions as a PE router at the same time and connects with a P router in an MPLS network. - The SSL VPN gateway, functioning as the PE router, is different from the PE router shown in
FIG. 2 . The SSL VPN gateway only provides the external with one network interface, i.e. as shown inFIG. 3 , the SSL VPN gateway provides the external, i.e. the Internet and the MPLS network respectively, with one network interface. Thus, the SSL VPN gateway can not bind physical interfaces with VPNs as common PE routers do, so as to differentiate different VPN users by using entrance interfaces of packets. Further, the SSL VPN gateway is configured between the Internet and a local area network, and packets received from users have already been transmitted through the Internet and thus do not carry VLAN access information. Thus, different VPN users can not be differentiated according to the VLAN access information carried by the packets, either. However, when the users log on and are authenticated, the SSL VPN gateway maintains some authentication and authorization information of the users, and thus different users are differentiated by using the authentication and authorization information of the users in the embodiments of the present invention. - Of course, the SSL VPN gateway functioning as the PE router needs to have functions of both the SSL VPN gateway and the PE router, and thus the SSL VPN gateway also needs to perform conversion between SSL messages and MPLS messages, and needs to allow the remote access to the MPLS VPN by using one of or any combination of three access modes of the SSL VPN.
- The embodiment of the present invention provides a method for remotely accessing an MPLS VPN, and the method includes the following steps.
- A: multiple virtual interfaces are established in an SSL VPN gateway, one VPN is bound with one virtual interface, and VPN instances are formed according to the virtual interfaces bound with the VPNs. The VPNs bound with the virtual interfaces are MPLS VPNs. The two kinds of VPNs will not be differentiated hereinafter and are called by a joint name VPNs. Different VPN users are differentiated according to authentication and authorization information of the users, so that SSL VPN users are differentiated and directed to different MPLS VPNs. And then the authentication and authorization information of a user is bound with a corresponding VPN.
- B: a user x performs information interaction with the SSL VPN gateway, and establishes a connection related to the remote access.
- C: the SSL VPN gateway receives a packet sent by the user x through an SSL connection, adds a VPN label and an MPLS forwarding label to the received packet according to a VPN instance bound with the authentication and authorization information of the user x, and sends the packet to a VPN resource server through an MPLS network.
- D: the SSL VPN gateway receives a response packet from the VPN resource server, searches for a VPN instance according to a VPN label carried by the response packet, and forwards the response packet to the user x through the SSL connection according to the found VPN instance.
- As can be seen from the above, in the embodiments of the present invention, the virtual interfaces are established and are respectively bound with the VPNs, and each VPN is bound with one virtual interface so that the VPN instances corresponding to different VPNs are formed and are used when the packets are forwarded. In the embodiments of the present invention, because the SSL VPN gateway provides only one physical interface for the users, by incorporating characteristics of the SSL VPN gateway, the authentication and authorization information of the users is used to differentiate different VPN users, so that the users can be differentiated when the SSL VPN gateway provides only one physical interface for the users. Further, packets can be forwarded by using corresponding VPN instances, and thereby the remote user can access the VPN resource in the MPLS VPN.
- The present invention is described with reference to accompanying drawings and embodiments. In the embodiments below, different VPN users are differentiated by user groups which are indicated in the authentication and authorization information and which users belong to. In practical network, there are users who do not belong to any VPN, called public users, this kind of users can also be differentiated by using, for example, the user groups indicated in the authentication and authorization information. In other embodiment, different VPN users may be differentiated by using one or any combination of the user groups, virtual areas and roles indicated in the authentication and authorization information.
- In the embodiment, the MPLS VPN and the SSL VPN should be configured firstly. Related configurations of the MPLS VPN are the same as those of regular MPLS VPNs, and will not be described herein. Related configurations of the SSL VPN include the following steps.
- 1: multiple address pools are established in the SSL VPN gateway, each address pool corresponds to one VPN; the address pools are used only in the IP access mode.
- 2: one virtual interface is established for each address pool, an address pool and its corresponding virtual interface belong to the same network segment, and each virtual interface is bound with one VPN. The virtual interface may be an SSL VPN Virtual Ethernet (SVE) interface, called virtual interface for short, or may be a Loopback interface. In the embodiment, the SVE interface is taken as an example.
- 3: a VPN instance corresponding to each VPN is formed according to the virtual interface bound with the VPN. Each VPN instance includes a routing forwarding table and an MPLS label forwarding table.
- The routing forwarding table includes two kinds of routes, one is for indicating an exit interface through which a packet received from the VPN resource servers is to be forwarded, and the other is for indicating an exit interface through which a packet received from the users is to be forwarded. The first kind of routes include two routes. One is used in the TCP/WEB access mode, and the other route is used in the IP access mode, which will be described in detail below.
- The MPLS label forwarding table includes two kinds of table entries, one is a mapping relation between VPNs and VPN labels (inner layer labels), and the other is for indicating next hop P router information and an MPLS forwarding label for a packet received from the users.
- 4: the virtual interface is authorized to the user. In the embodiments of the present invention, the authorization operation is to bind the virtual interface with the user group. Because the virtual interface is bound with the VPN in
step 2, the user group, the virtual interface and the VPN instance are in a binding relation afterstep 4. Regarding which virtual interface is bound with which user group, it should be determined according to the VPN resource which the user group is allowed to access. For example, auser group 1 is allowed to access resources in VPN1, and then a virtual interface corresponding to the VPN1 is bound with theuser group 1. Those skilled in the art can easily understand the forming of the binding relation. - After the configurations in the above steps, a User to VPN relation table (UVR) shown in table 1 is formed, which records which user corresponds to which VPN and which virtual interface is bound with the VPN.
-
TABLE 1 Virtual Bound VPN instance user User group interface (label index of VPN instance) user1 Vpn1group SVE1/0 VPN1(VPN1 label index: 1) user2 Vpn2group SVE1/1 VPN2(VPN2 label index: 2) user3 Pubgroup none PUBLIC(0) - As shown in Table 1, the UVR table includes the following fields: a user ID, a user group, a virtual interface, a bound VPN instance. The field of the bound VPN instance in table 1 further includes an index of a VPN label. Table 1 is the UVR table formed according to the networking structure shown in
FIG. 3 . A user1 belongs to a user group Vpn1group, the user group Vpn1group is bound with a virtual interface SVE1/0, the VPN instance bound with the SVE1/0 is a VPN1 instance, and the label index of the VPN1 instance is 1. A user2 is similar to the user1. A user3 is a common user and does not belong to any VPN. Thus, as shown in the UVR table, the user3 belongs to a public user group (Pubgroup), and no virtual interface or VPN instance is bound with the Pubgroup, thus the field of the bound VPN instance records, for example, PUBLIC(0). - After the configurations in the above steps, the VPN instances corresponding to different VPNs are formed in the SSL VPN gateway. The VPN instances corresponding to the VPN1 and the VPN2 are taken as an example. In the VPN instances described below, only the fields closely related to the embodiments of the present invention are listed and unrelated fields are omitted.
- Firstly, the routing forwarding table of the VPN includes:
-
vpn1 Route Information Destination/Mask Nexthop Interface Routing Table: vpn1 Route-Distinguisher: 100: 1 10.1.1.0/24 10.1.1.1 SVE1/0 10.1.1.1/32 127.0.0.1 InLoopBack0 VPN Routing Table: Route-Distinguisher: 100: 3 10.3.1.0/24 3.3.3.9 InLoopBack0 -
vpn2 Route Information Destination/Mask Nexthop Interface Routing Table: vpn2 Route-Distinguisher: 100: 2 10.2.1.0/24 10.2.1.1 SVE1/1 10.2.1.1/32 127.0.0.1 InLoopBack0 VPN Routing Table: Route-Distinguisher: 100: 4 10.4.1.0/24 3.3.3.9 InLoopBack0 - In the routing forwarding table of the VPN1, contents of the Routing Table are the first kind of routes, and this kind of routes includes two routes.
- A destination address of the first route is the virtual interface SVE1/0 bound with the VPN1 and the network segment which the address pool belongs to, 10.1.1.0/24, and a next hop of the first route is an IP address of the virtual interface SVE1/0, 10.1.1.1.
- This route is applicable to the IP access mode. When a packet received from the VPN resource server matches 10.1.1.0/24, the next hop is determined as 10.1.1.1, i.e. the virtual interface SVE1/0, and then the packet is directly forwarded through the virtual interface SVE1/0. How to use this route in the IP access mode will be described hereinafter.
- A destination address of the second route is an IP address of the virtual interface SVE1/0 bound with the VPN1, 10.1.1.1/32, and a next hop of the second route points to an InLoopBack0 interface address 127.0.0.1.
- This route is applicable to the TCP/WEB access mode. When a packet received from the VPN resource server matches the IP address of the SVE1/0, 10.1.1.1/32, the next hop is determined as 127.0.0.1, i.e. the packet destines locally, and then an IP layer directly forwards the packet to the SSL VPN service module in an application layer through a TCP layer to be processed and forwarded. How to use this route in the TCP/WEB access mode will be described hereinafter.
- In the routing forwarding table of the VPN1, contents of the VPN Routing Table are the second kind of routes. The second kind of routes include such a route: a destination address of the route is the network segment which the VPN resource server belongs to, 10.3.1.0/24, and a next hop of the route is an address of an opposite PE device connected with the SSL VPN gateway through a BGP connection, where 3.3.3.9 is a loopback interface address of the opposite PE device. This route is applicable to any access mode. When a packet received from the user matches 10.3.1.0/24, the next hop is determined as 3.3.3.9.
- Configurations of the VPN routing forwarding table of the VPN2 are similar to thoes of the VPN1, and will not be described in detail again.
- Secondly, the MPLS label forwarding table of the VPN includes:
-
Vpn-instance Name: vpn1 Route Distinguisher: 100: 1 FEC (forwarding NO equivalence class) NEXTHOP OUTER- LABEL 1 10.3.1.0/24 172.1.1.2 1026(vpn) -
Vpn-instance Name: vpn2 Route Distinguisher: 100: 2 NO FEC NEXTHOP OUTER- LABEL 1 10.4.1.0/24 172.1.1.2 1026(vpn) NO VRFNAME INNER-LABEL(inner label) 1 vpn1 1024 2 vpn2 1025 - In the MPLS label forwarding table of the VPN1, contents of VRFNAME and INNER-LABEL record the VPN label of each VPN.
- Contents of Vpn-instance Name are a forwarding table entry, a Forwarding Equivalent Class (FEC) of the forwarding table entry is the network segment 10.3.1.0/24 which the VPN resource server belongs to, and a next hop of the forwarding table entry is an IP address of the first P router through which a path from the SSL VPN gateway to the VPN resource server passes, 172.1.1.2. The forwarding table entry is applicable to any access mode, when a packet from a user matches 10.3.1.0/24, the next hop is determined as 172.1.1.2, so that the packet is forwarded to a correct P router.
- Based on the above UVR and VPN instances, remote access processes in the TCP/WEB access mode and the IP access mode are respectively described with reference to the embodiments.
- In this embodiment, a remote user user1 accesses an MPLS VPN through an SSL connection in the TCP/WEB access mode. It is supposed that a public network IP address of a remote host used by the user1 is 60.191.123.8, that a public network IP address of an SSL VPN gateway is 220.189.204.90, that a private IP address of a virtual interface SVE1/0 bound with VPN1 in the SLL VPN gateway is 10.1.1.1, and that a network segment where a VPN resource that the user1 is allowed to access is located is 10.3.1.0/24. For description convenience, the address of the remote host used by the user1 is called the address of the user, and operations performed by the user through the remote host are all regarded as operations of the user.
-
FIG. 4 is a flowchart of accessing an MPLS VPN by a remote user through an SSL connection in a TCP/WEB access mode according to a first embodiment of the present invention. As shown inFIG. 4 , the accessing includes the following. - Step 401: a user1 sends a logon and authentication request to an SSL VPN gateway.
- Step 402: the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway determines a VPN to which the user1 belongs according to a user group to which the user1 belongs, and then returns a user resource page to the user1. The user resource page includes VPN resource information that the user1 is allowed to access.
- In the embodiment, the user1 belongs to a user group Vpn1group, and thus the user1 belongs to the VPN1.
- In this step, determining the VPN to which the user1 belongs according to the user group to which the user1 belongs may be implemented by using common modes in conventional SSL VPN technologies or by using the UVR table configured in the present invention.
- Step 403: when the user1 requests accessing a VPN resource server, an SSL connection is established between the user1 and the SSL VPN gateway, and the user1 sends a user ID and a VPN resource ID requested to be accessed to the SSL VPN gateway through the SSL connection established.
- Step 404: the SSL VPN gateway determines an IP address of the VPN resource server to which the VPN resource requested to be accessed belongs according to the VPN resource ID sent by the user1, and the IP address is supposed to be 10.3.1.1; meanwhile, the SSL VPN gateway searches out a virtual interface SVE1/0 bound with the Vpn1group of the user1 from the UVR table, establishes a TCP connection between the virtual interface SVE1/0 (10.1.1.1) and the VPN resource server requested to be accessed (10.3.1.1), and maintains a bidirectional connection relation table which is called an SSL-TCP (ST) table for short. During the process of establishing the TCP connection, a VPN instance label index corresponding to a Socket of the TCP connection is configured.
- Specifically, after determining the IP address of the VPN resource server to which the VPN resource requested to be accessed belongs, the SSL VPN gateway searches the UVR table for a VPN instance to which the user1 belongs, the VPN instance being VPN1, adds a VPN
instance label index 1 for the socket, and then initiates a TCP connection to 10.3.1.1. A TCP module in the TCP layer may add the VPNinstance label index 1 to a TCP connection request packet according to the VPN instance label index of the socket. The operation of adding the VPN instance label index to the packet is to record the VPN instance label index in packet attributes, rather than to add the VPN instance label index in front of an IP packet. However, in an MPLS module, two layers of labels are added in front of the IP packet. - Afterwards, an IP module searches out a corresponding VPN1 instance according to the VPN
instance label index 1 of the packet, searches for a forwarding path according to a destination address 10.3.1.1 in the found VPN1 instance, determines that the packet is to be forwarded by the MPLS, and sends the packet to the MPLS module. The MPLS module searches out aVPN label 1024 of the VPN1 according to the VPNinstance label index 1 of the packet, performs matching in an MPLS label forwarding table of the VPN1 instance according to the VPNinstance label index 1 and the destination address of the packet, 10.3.1.1, and obtains an MPLS label forwarding table entry in which the FEC of the VPN1 instance is 10.3.1.0/24. And thus, a next hop and anMPLS forwarding label 1026 are obtained. At this moment, the MPLS module adds theVPN label 1024 and theMPLS forwarding label 1026 to the TCP connection request packet, sends the packet to an opposite resource server according to the next hop. The interface bound with the VPN instance is SVE1/0, and thus a source address of a newly-established TCP connection is the IP address of the SVE1/0, a destination address is 10.3.1.1. Packets sent subsequently by the user1 will be sent through the TCP connection. - Step 405: the user1 sends a user resource request packet to the SSL VPN gateway through the SSL connection. The user resource request packet is shown as a packet {circle around (1)} in
FIG. 4 , and the packet {circle around (1)} includes a public network IP header, a TCP header and a data part. In order to focus on changes in the packet between the Internet and the MPLS network, descriptions of the TCP header is omitted, which do not affect description of the forwarding process. - Herein, a source address and a destination address of the public network IP header respectively are a public network IP address of the user1, 60.191.123.8, and a public network IP address of the SSL VPN gateway, 220.189.204.90.
- Step 406: when receiving the user resource request packet sent by the user1 through the SSL connection, the SSL VPN gateway determines to directly forward the user resource request packet through the TCP connection established for the user1. The TCP layer adds the VPN instance label index to the packet according to information of the TCP connection established for the user1; then, according to the VPN instance label index of the packet, the MPLS module adds the
VPN label 1024 and theMPLS forwarding label 1026 which is needed when forwarding the packet, and forwards the packet. - This step is implemented through cooperation of multiple modules in the SSL VPN gateway. The multiple modules include a TCP/WEB access mode processing module and a VPN label processing module which are located at an application layer, the TCP module located at the TCP layer, an IP module located at the IP layer, and the MPLS module located between the IP layer and a network interface. The TCP/WEB access mode processing module establishes and maintains the ST table when connections related to the remote access are established. Specifically, the
step 406 includes the following sub-steps. - c1: after the packet enters the SSL VPN gateway through the SSL connection between the SSL VPN gateway and the user1, the IP module removes the public network IP header and sends the data part of the packet to the TCP/WEB access mode processing module through the TCP module.
- c2: according to the ST table, the TCP/WEB access mode processing module determines to forward the received packet through the TCP connection established for the user1, and sends the packet to the TCP module.
- c3: the TCP module adds a private network IP header to the packet according to information of the TCP connection established, adds the VPN instance label index to the packet according to the VPN instance label index of the socket, and sends the packet to the IP module. Herein, a private network source address and a private network destination address of the private network IP header are addresses of two ends of the TCP connection respectively, i.e. the private network source address is the IP address of the virtual interface SVE1/0, 10.1.1.1, and the private network destination address is the IP address of the VPN resource server requested to be accessed by the user1, 10.3.1.1.
- c4: the IP module searches out the corresponding VPN instance according to the VPN instance label index of the packet, searches for a forwarding path in the found VPN instance, determines that the packet is to be forwarded by the MPLS, and then forwards the packet to the MPLS module.
- c5: the MPLS module searches for the corresponding VPN instance according to the VPN instance label index carried by the packet, adds the VPN label and the MPLS forwarding label to the packet according to the found VPN instance, and forwards the packet. Specifically, the MPLS module learns that the packet belongs to the VPN1 according to the VPN
instance label index 1 carried by the packet, obtains theVPN label 1024 from the VPN1, and performs matching in the MPLS label forwarding table according to the private network destination address of the packet. Herein, the private network destination address is 10.3.1.1 and matches with a forwarding table entry in which the FEC is 10.3.1.0/24. And thus the next hop 172.1.1.2 and theMPLS forwarding label 1026 are obtained. Further, the MPLS module adds theVPN label 1024 and theMPLS forwarding label 1026 to the packet, and sends the packet to a correct P route device according to the next hop 172.1.1.2. - After the processing of
step 406, the packet {circle around (1)} inFIG. 4 is converted to a packet {circle around (2)}. The packet {circle around (2)} includes the MPLS forwarding label, the VPN label, the private network IP header and the data part. Herein, the VPN label is an inner label used for differentiating the VPN to which the packet belongs, and the MPLS label is an outer label used for forwarding in the MPLS network. - Step 407: the MPLS network forwards the packet to an opposite PE router according to the MPLS forwarding label carried by the packet.
- Step 408: the opposite PE router forwards the packet to the VPN resource server and returns a response packet of the VPN resource server to the MPLS network.
- Step 409: a P router adjacent to the SSL VPN gateway removes an MPLS forwarding label of the response packet, and sends the response packet to the SSL VPN gateway. The response packet sent to the SSL VPN gateway is shown as a packet {circle around (3)} in
FIG. 4 . The packet {circle around (3)} includes the VPN label, the private network IP header and the data part. Herein, the private network source address and destination address in the private network IP header are 10.3.1.1 and 10.1.1.1 respectively, and the VPN label is 1024. - Step 410: the SSL VPN gateway searches for a corresponding VPN instance according to the VPN label carried by the response packet, performs matching in the found VPN instance according to the private network destination address of the response packet to obtain a second routing forwarding table entry in the above VPN1 instance, and obtains a next hop which is an inner loopback interface address, 127.0.0.1, and then directly forwards the received response packet to an upper layer application, i.e. to the TCP/WEB access mode processing module in the application layer. After finishing the processing, the TCP/WEB access mode processing module forwards the response packet to the user1 through the SSL connection between the TCP/WEB access mode processing module and the user1.
- Specifically, step 410 includes the following sub-steps.
- d1: after the response packet enters the SSL VPN gateway through the TCP connection established for the user1, the MPLS module determines that the response packet belongs to the VPN1 according to the
VPN label 1024 carried by the response packet, and then sends information of the VPN1 and the response packet without the VPN label to the IP module. - d2: the IP module obtains the VPN1 instance according to the information of the VPN1 to which the response packet belongs, and performs matching according to the private network destination address of the response packet 10.1.1.1. Detailed contents of the VPN1 instance have already been described before. Herein a routing forwarding table entry in which the destination address is 10.1.1.1/32 in the VPN1 instance is obtained through the matching. The IP module obtains a next hop which is an inner loopback interface address 127.0.0.1 from the routing forwarding table entry obtained through the matching, then directly forwards the response packet without the private network IP header to the TCP/WEB access mode processing module in the application layer through the TCP module.
- d3: according to the ST table, the TCP/WEB access mode processing module determines that the response packet received from the TCP connection is to be forwarded to the user1 through the SSL connection, and forwards the response packet to the TCP module.
- d4: the TCP module adds the public network IP header to the response packet according to the information of the SSL connection, and forwards the response packet to the IP module.
- d5: the IP module searches for a public network route according to the destination address, so as to forward the response packet to the user1 through the SSL connection. The response packet sent to the user1 is shown as a packet {circle around (4)} in
FIG. 4 . The packet {circle around (4)} includes the public network IP header and the data part. - Thus, the process is finished.
- In this embodiment, a remote user, user1, accesses an MPLS VPN through an SSL connection in the IP access mode. It is supposed that a public network IP address of a remote host used by the user1 is 60.191.123.8, that a public network IP address of an SSL VPN gateway is 220.189.204.90, that a private IP address of a virtual interface SVE1/0 bound with VPN1 in the SSL VPN gateway is 10.1.1.1, and that a network segment which a VPN resource that the user1 is allowed to access belongs to is 10.3.1.0/24.
-
FIG. 5 is a flowchart illustrating accessing an MPLS VPN by a remote user through an SSL connection in an IP access mode according to a second embodiment of the present invention. As shown inFIG. 5 , the method includes the following steps. - Step 501: a user1 sends a logon and authentication request to an SSL VPN gateway.
- Step 502: the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway determines that the user1 belongs to VPN1 according to a user group Vpn1group which the user1 belongs to, and then returns a user resource page to the user1. In addition, the SSL VPN gateway randomly allocates one IP address to the user1 from an address pool configured for the VPN which the user1 belongs to, and the IP address is the virtual address of the user1. In the embodiment, it is supposed that the virtual address allocated to the user1 is 10.1.1.2.
- Step 503: an SSL connection is established between the user1 and the SSL VPN gateway when the user1 requests accessing a VPN resource server; in the IP access mode, the SSL VPN gateway needs to maintain a relation table of users, virtual addresses and SSL connections, which is called a User-Virtual IP-SSL (UVS) table. Since the gateway does not need to maintain the connection between the gateway and the VPN resource server in the IP access mode, the user1 only needs to send a user ID to the SSL VPN gateway through the SSL connection established.
- Step 504: the user1 sends a user resource request packet to the SSL VPN gateway through the SSL connection. The user resource request packet is shown as a packet {circle around (1)} in
FIG. 5 , different from the first embodiment, the packet {circle around (1)} includes not only a public network IP header and data part, but also a private network IP header (the TCP header is also omitted). - Herein, a source address and a destination address of the public network IP header are respectively a public network IP address of the user1, 60.191.123.8, and a public network IP address of the SSL VPN gateway, 220.189.204.90; a source address and a destination address of the private network IP header are respectively the virtual address of the user1, 10.1.1.2, and the private network IP address of the VPN resource server requested to be accessed, 10.3.1.1.
- Step 505: when receiving the user resource request packet sent by the user1, the SSL VPN gateway determines that the packet is from the user1 according to the UVS table, and further determines the VPN which the user1 belongs to by searching the UVS table. In the IP layer, a VPN instance label index is added to the packet according to a VPN instance of the VPN which the user1 belongs to; and then an MPLS module adds a VPN label and an MPLS forwarding label according to the VPN instance label index of the packet, and forwards the packet. The forwarding in this step is MPLS forwarding concurrent with common IP forwarding.
- This step is implemented through cooperation of multiple modules in the SSL VPN gateway. The multiple modules include an IP access
mode processing module 1 located at an application layer, an IP accessmode processing module 2 located at the IP layer, a TCP module located at a TCP layer, and the MPLS module located between the IP layer and a network interface. The IP accessmode processing module 1 located at the application layer maintains the SSL connection and the UVS table, the IP accessmode processing module 2 located at the IP layer processes the forwarding. The IP accessmode processing modules mode processing module 1, it also arrives at the IP accessmode processing module 2, and vice versa. Specifically, thestep 505 includes the following sub-steps. - c1: after the packet enters the SSL VPN gateway through the SSL connection between the SSL VPN gateway and the user1, the IP module removes the public network IP header and sends the packet with the private network IP header and the data part to the IP access
mode processing module 1 through the TCP module; the IP accessmode processing module 1 sends the packet to the IP accessmode processing module 2. - c2: the IP access
mode processing module 2 determines that the packet is from the user1 by searching the UVS table, and further determines to forward the packet in a direct IP forwarding mode; the packet is then sent to a VPN label processing module in the IP layer. - c3: by searching the UVS table, the VPN label processing module determines that the Vpn1grougp of the user1 is bound with a VPN1 instance and learns that the VPN instance label index of the VPN1 instance is 1; then, adds the VPN
instance label index 1 to the IP packet obtained by parsing, and forwards the packet to the IP module. - c4: the IP module performs route searching according to the destination address of the packet, determines that the packet is to be forwarded by the MPLS, and forwards the packet to the MPLS module.
- c5: the MPLS module searches for a corresponding VPN instance according to the VPN instance label index carried by the packet, adds a VPN label and an MPLS forwarding label to the packet according to the found VPN instance, and forwards the packet. This step is the same as step c5 in the first embodiment.
- After the processing in
step 505, the packet {circle around (1)} inFIG. 5 is converted to a packet {circle around (2)}. The packet {circle around (2)} includes the MPLS forwarding label, the VPN label, the private network IP header and the data part. Different from the first embodiment, the private network source address in the packet {circle around (2)} of this embodiment is the virtual address of the user1, 10.1.1.2. - Step 506: the MPLS network forwards the packet to an opposite PE router according to the MPLS forwarding label carried by the packet.
- Step 507: the opposite PE router forwards the packet to the VPN resource server and returns a response packet of the VPN resource server to the MPLS network.
- Step 508: a P router adjacent to the SSL VPN gateway removes an MPLS forwarding label of the response packet, and sends the response packet to the SSL VPN gateway. The response packet sent to the SSL VPN gateway is shown as a packet {circle around (3)} in
FIG. 5 . The packet {circle around (3)} includes the VPN label, the private network IP header and the data part. Herein, the private network source address and destination address in the private network IP header are respectively 10.3.1.1 and 10.1.1.2, and the VPN label is 1024. - Step 509: the SSL VPN gateway searches for a corresponding VPN instance according to the VPN label carried by the response packet, performs matching in the found VPN instance according to the private network destination address 10.1.1.2 of the response packet to obtain a first routing forwarding table entry in the above VPN1 instance and a next hop which is a virtual interface SVE1/0, and then directly forwards the response packet to the user1 through the SSL connection via the SVE1/0.
- Specifically,
step 509 includes the following sub-steps. - d1: after the response packet enters the SSL VPN gateway, the MPLS module determines that the response packet belongs to the VPN1 according to the VPN label carried by the response packet, and then sends information of the VPN1 which the response packet belongs to and the response packet without the VPN label to the IP module.
- d2: the IP module obtains the VPN1 instance according to the information of the VPN1 to which the response packet belongs, and performs routing matching in the VPN1 instance according to the private network destination address 10.1.1.2 of the response packet, and finds a matched routing forwarding table entry in which the destination address is 10.1.1.0/24 in the VPN1 instance; the IP module obtains a next hop which is the IP address 10.1.1.1 of the virtual interface SVE1/0 from the matched routing forwarding table entry; since the destination address is not a local inner interface address, the virtual interface directly forwards the packet after receiving the packet.
- d3: the forwarding function of the virtual interface is implemented by the IP access
mode processing module 2 located at the IP layer. The IP accessmode processing module 2 determines that the response packet is to be forwarded to the user1 through the SSL connection according to the private network destination address, i.e. the virtual address 10.1.1.2 in the response packet, and according to the UVS table; and then forwards the response packet to the IP accessmode processing module 1 located at the application layer. The IP accessmode processing module 1 sends the packet to the TCP module. - d4: the TCP module adds a public network IP header to the response packet according to the information of the SSL connection, and forwards the response packet to the IP module.
- d5: the IP module searches for a public network route, so as to forward the response packet to the user1 through the SSL connection. The response packet sent to the user1 is shown as a packet {circle around (4)} in
FIG. 5 . The packet {circle around (4)} includes the public network IP header, the private network IP header and the data part. - And the process is finished.
- The first embodiment is a solution supporting the TCP and/or WEB access mode, and the second embodiment is a solution supporting the IP access mode. Actually, the TCP access mode, the WEB access mode and the IP access mode may coexist, or only two of the three are supported at the same time.
- The processing for a public network user, user3, is the same as the processing in the conventional SSL VPN gateway. Specifically, when receiving a user resource request packet of the user3, the SSL VPN gateway searches the UVR table and determines that the user3 belongs to the user group Pubgroup and is not bound with any VPN, and thus determines that a packet of a public user is received and does not add any label, but directly sends the packet to the VPN resource server through a public route, also called a global route. Similarly, when receiving a packet without a VPN label from the VPN resource server, the SSL VPN gateway sends the packet to an upper layer through the global route to be sent through the SSL connection, or directly sends the packet via the virtual interface through the SSL connection.
- In order to implement the above methods, embodiments of the present invention provide a gateway. The gateway is applicable to this kind of systems in which a remote user accesses a VPN resource server in an MPLS VPN through an SSL connection between the remote user and the gateway. The gateway also functions as an SSL VPN gateway in an SSL VPN and a PE router in the MPLS VPN. In the embodiment, the gateway is called an SSL VPN gateway.
-
FIG. 6 is a schematic diagram illustrating a structure of an SSL VPN gateway according to an embodiment of the present invention. As shown inFIG. 6 , the SSL VPN gateway includes a configuration unit (also called a WMI unit), a first network interface, a second network interface, a processing unit, a VPN instance storing unit (also called a VRF unit) and a relation storing unit (also called a UVR unit). - The WMI unit is adapted to establish multiple virtual interfaces, one virtual interface being bound with one VPN and VPN instances being formed according to the virtual interfaces bound with the VPNs; save the VPN instances in the VRF unit; differentiate different VPN users according to authentication and authorization information of the users; bind the authentication and authorization information of the users with corresponding VPNs; and save a binding relation in the UVR unit. When establishing the virtual interfaces, the WMI unit is adapted to establish a virtual interface for an address pool established by each VPN, the address pool and the corresponding VPN belonging to the same network segment and the address pools being used only in the IP access mode.
- Preferably, the WMI unit is further adapted to form a UVR table as shown in Table 1 according to various binding relations established, and save the UVR table in the UVR unit. The VPN instances formed by the WMI unit include a routing forwarding table and an MPLS label forwarding table; contents of the two tables are the same as those described in the method embodiments and are not described herein.
- The UVR unit is adapted to store the binding relation established by the WMI unit.
- The VRF unit is adapted to store the VPN instances.
- The first network interface is adapted to provide a data transmission channel between the SSL VPN gateway where the first network interface is located and a user, and couple a remote host through the Internet.
- The second network interface is adapted to provide a data transmission channel between the SSL VPN gateway where the second network interface is located and an MPLS network, and couple a VPN resource server through the MPLS network.
- The processing unit is adapted to perform information interaction with the user1 and establish connections related to remote access. When receiving a packet sent by the user1 through the SSL connection, the processing unit is adapted to obtain a VPN instance bound with a user group which the user1 belongs to, i.e. a VPN1 instance, from the VRF unit according to the binding relations stored in the UVR unit; add a
VPN label 1024 and anMPLS forwarding label 1026 to the packet by using the VPN1 instance; and send the packet to the VPN resource server through the MPLS network. When receiving a response packet from the VPN resource server, the processing unit is adapted to search for a corresponding VPN instance in the VRF unit according to aVPN label 1024 carried by the response packet, and forward the response packet to the user1 through the SSL connection between the processing unit and the user1 according to the found VPN instance. - When the VPN resource server is accessed in the TCP or WEB mode, the processing unit is further adapted to establish an SSL connection between the user1 and the SSL VPN gateway when establishing the connections related to remote access, establish a TCP connection between a virtual interface SVE1/0 and the VPN resource server requested to be accessed for the user1, and maintain an ST table. In the process of establishing the TCP connection, the processing unit is adapted to add a VPN
instance label index 1 to a Socket of the established TCP connection according to a VPN instance bound with authentication and authorization information of the user1. - When receiving a packet sent by the user1 through the SSL connection, the processing unit is adapted to add the VPN
instance label index 1 to the received packet at the TCP layer according to information of the TCP connection established for the user1. And then an MPLS module in the processing unit is adapted to search out a VPN1 instance according to the VPNinstance label index 1, add aVPN label 1024 and anMPLS forwarding label 1026 to the packet according to the VPN instance label index of the packet, and forward the packet to the VPN resource server S1 through the TCP connection established for the user1. - When receiving a response packet through the TCP connection, the processing unit is adapted to search for a corresponding VPN instance according to a
VPN label 1024 carried by the response packet, perform matching in the found VPN instance according to the private network destination address 10.1.1.1 of the response packet to obtain a second routing forwarding table entry in the VPN1 instance and a next hop which is an inner loopback interface address 127.0.0.1, and directly forward the response packet received to an upper layer application. And the upper layer application sends the response packet to the user1 through the SSL connection. - When the VPN resource server is accessed in the IP access mode, the WMI unit is further adapted to establish a virtual interface for the address pool established by each VPN when establishing the multiple virtual interfaces. The address pool and the virtual interface corresponding to the address pool belong to the same network segment.
- The processing unit is further adapted to allocate one virtual address 10.1.1.2 for the user1 from the address pool configured for the VPN which the user1 belongs to when establishing the connections related to the remote access, and establish the SSL connection between the user1 and the SSL VPN gateway.
- The processing unit is further adapted to, when receiving a packet carrying a private network IP header (the private network source address is 10.1.1.2) sent by the user1 through the SSL connection, add the VPN
instance label index 1 to the received packet at the IP layer according to the VPN1 instance bound with the user group which the use1 belongs to, and then the MPLS module in the processing unit is adapted to add aVPN label 1024 and anMPLS forwarding label 1026 to the packet according to the VPNinstance label index 1. - The processing unit is further adapted to, when receiving a response packet, search for a corresponding VPN instance according to the
VPN label 1024 carried by the response packet, perform matching in the found VPN instance according to the private network destination address of the response packet 10.1.1.1 to obtain a first routing forwarding table entry in the VPN1 instance and a next hop which is an IP address 10.1.1.1 of a virtual interface SVE1/0, and forward the response packet to the user1 through the SSL connection by using the virtual interface SVE1/0. - The processing module is described hereinafter in detail.
- The processing module includes an SSL VPN service module, a VPN label processing module, a TCP module, an IP module and an MPLS module. The SSL VPN service module includes one or a combination of a TCP/WEB access mode processing module and an IP access mode processing module according to an access mode supported by the SSL VPN gateway.
-
FIG. 7 is a schematic diagram illustrating a structure of an SSL VPN gateway when a VPN resource server is accessed by using a TCP/WEB mode according to an embodiment of the present invention. As shown inFIG. 7 , the processing unit includes a TCP/WEB access mode processing module and a VPN label processing module which are located at an application layer, a TCP module located at a TCP layer, an IP module located at an IP layer, and an MPLS module located between the IP layer and a network interface. - The TCP/WEB access mode processing module is adapted to return a user resource page to the user1 when the user1 requests logon and authentication; when the user1 requests accessing the VPN resource server S1, establish the SSL connection between the user1 and the SSL VPN gateway, establish a TCP connection between the virtual interface SVE1/0 and the VPN resource server S1, and maintain a ST table.
- In the process of establishing the TCP connection, the VPN label processing module is adapted to add the VPN
instance label index 1 to a socket of the TCP connection according to the VPN1 instance bound with the user group which the user1 belongs to. - After the packet enters the SSL VPN gateway through the SSL connection between the user1 and the SSL VPN gateway, the IP module is adapted to remove the public network IP header of the packet, and send the data part of the packet to the TCP/WEB access mode processing module through the TCP module.
- And the TCP/WEB access mode processing module is further adapted to determine to forward the received packet through the TCP connection established for the user1 according to the ST table, and send the packet to the TCP module.
- And the TCP module is adapted to add the private network IP header to the packet according to information of the TCP connection established for the user1, add the VPN
instance label index 1 to the packet according to the VPNinstance label index 1 of the socket, and send the packet to the IP module. - Afterwards, the IP module is adapted to perform route searching, i.e. search out a corresponding VPN1 instance according to the VPN
instance label index 1 of the packet, search for a forwarding path in the VPN routing table and the label forwarding table so as to determine that the packet is to be forwarded by the MPLS, and send the packet to the MPLS module. - The MPLS module is adapted to search out a corresponding VPN1 instance in the VRF unit according to the VPN
instance label index 1 carried by the packet, add theVPN label 1024 and theMPLS forwarding label 1026 to the packet according to the found VPN1 instance, and forward the packet. - After the response packet enters the SSL VPN gateway through the TCP connection between the VPN resource server S1 and the SSL VPN gateway, the MPLS module is adapted to determine the VPN to which response packet belongs according to the
VPN label 1024 carried by the response packet, and send information of the VPN1 which the response packet belongs to and the response packet without the VPN label to the IP module. - The IP module is adapted to obtain the corresponding VPN instance from the VRF unit according to the information of the VPN which the response packet belongs to, perform matching in the VPN1 instance according to the private network destination address 10.1.1.2 of the response packet to obtain a second routing forwarding table entry in the VPN1 instance and a next hop which is an inner loopback interface address 127.0.0.1, and directly forward the response packet without the private network IP header to the TCP/WEB access mode processing module through the TCP module.
- The TCP/WEB access mode processing module is adapted to determine according to the ST table that the response packet received through the TCP connection is to be forwarded to the user1 through the SSL connection, and forward the response packet to the TCP module. The TCP module is adapted to add the public network IP header to the response packet according to the information of the SSL connection, and forward the response packet to the IP module. The IP module is adapted to search for the public network route and forward the response packet to the user1.
-
FIG. 8 is a schematic diagram illustrating a structure of an SSL VPN gateway when a VPN resource server is accessed by using an IP mode according to an embodiment of the present invention. As shown inFIG. 8 , the processing unit includes an IP accessmode processing module 1 located at an application layer, an IP accessmode processing module 2 and a VPN label processing module which are located at an IP layer, a TCP module located at a TCP layer, an IP module located at an IP layer and an MPLS module located between the IP layer and a network interface. - The IP access
mode processing module 1 is adapted to return a user resource page to the user1 when the user1 requests logon and authentication, and allocate one virtual address 10.1.1.2 for the user1 from an address pool configured for a VPN to which the user1 belongs; when the user1 requests accessing a VPN resource server, establish an SSL connection between the user1 and the SSL VPN gateway, and maintain a UVS table. The UVS table is shared with the IP accessmode processing module 2. - After the packet enters the SSL VPN gateway through the SSL connection between the user1 and the SSL VPN gateway, the IP module is adapted to remove a public network IP header of the packet, and send the packet containing the private network IP header and the data part to the IP access
mode processing module 1 located at the application layer through a TCP module. The IP accessmode processing module 1 sends the packet to the IP accessmode processing module 2 located at the IP layer. A private network source address is a virtual address of the user1, 10.1.1.2. - The IP access
mode processing module 2 is adapted to determine, according to the UVS table, to forward the packet in a direct IP forwarding mode, and send the packet to the VPN label processing module. - The VPN label processing module is adapted to determine that a VPN bound with a user group to which the user1 belongs is a VPN1 according to a binding relation stored in the UVR unit, add a VPN
instance label index 1 to the packet, and send the packet to the IP module. - The IP module is adapted to determine, by using route searching, that the packet is to be forwarded by MPLS; and send the packet to the MPLS module.
- The MPLS module is adapted to search for a corresponding VPN instance according to the VPN
instance label index 1 carried by the packet, add aVPN label 1024 and anMPLS forwarding label 1026 to the packet according to the found VPN1 instance, and send the packet. - After a response packet enters the SSL VPN gateway through a second network interface, the MPLS module is adapted to determine a VPN to which the response packet belongs according to a
VPN label 1024 carried by the response packet, and send information of the VPN which the response packet belongs to and the response packet without the VPN label to the IP module. - The IP module is adapted to obtain a corresponding VPN instance from the VRF unit according to the information of the VPN which the response packet belongs to; perform route matching according to a private network destination address of the response packet, i.e. according to the virtual address of the user1, to obtain a first routing forwarding table entry in the VPN1 instance and a next hop which is SVE1/0; and forward the response packet to the virtual interface SVE1/0 according to the first routing forwarding table entry. The forwarding function of the virtual interface SVE1/0 is implemented by the IP access
module processing module 2 located at the IP layer, i.e. the response packet is forwarded to the IP accessmodule processing module 2. - The IP access
mode processing module 2 is adapted to determine to forward the response packet via the virtual interface SVE1/0 through the SSL connection with the user1 according to the UVS table, and send the response packet to the TCP module. - The TCP module is adapted to add a public network IP header to the response packet according to information of the SSL connection, and send the response packet to the IP module.
- The IP module is adapted to send the response packet to the user1 by searching for a public network route.
- The present invention further provides a system for remotely accessing an MPLS VPN. As shown in
FIG. 3 , the system includes a remote host used by a user, an Internet, an SSL VPN gateway, an MPLS VPN and a VPN resource server in the MPLS VPN. The remote host remotely accesses the VPN resource server in the MPLS VPN through the SSL connection between the remote host and the SSL VPN gateway. The SSL VPN gateway also functions as a PE router of the MPLS VPN and may be any kind of SSL VPN gateways described in the above embodiments. - The foregoing is only the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent substitution, or improvement made without departing from principle of the present invention should be covered by the scope set forth in the appended claims.
Claims (19)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910088986.1 | 2009-07-15 | ||
CN200910088986 | 2009-07-15 | ||
CN2009100889861A CN101599901B (en) | 2009-07-15 | 2009-07-15 | Method, system and gateway for remotely accessing MPLS VPN |
Publications (2)
Publication Number | Publication Date |
---|---|
US20110013637A1 true US20110013637A1 (en) | 2011-01-20 |
US8274967B2 US8274967B2 (en) | 2012-09-25 |
Family
ID=41421159
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/836,439 Active 2031-02-20 US8274967B2 (en) | 2009-07-15 | 2010-07-14 | Method, system and gateway for remotely accessing MPLS VPN |
Country Status (2)
Country | Link |
---|---|
US (1) | US8274967B2 (en) |
CN (1) | CN101599901B (en) |
Cited By (156)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110191442A1 (en) * | 2010-01-29 | 2011-08-04 | Michael Ovsiannikov | Systems and methods of using ssl pools for wan acceleration |
US20130265910A1 (en) * | 2010-12-23 | 2013-10-10 | Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno | Method, Gateway Device and Network System for Configuring a Device in a Local Area Network |
US20140223515A1 (en) * | 2013-02-01 | 2014-08-07 | Junaid Islam | Securing Organizational Computing Assets over a Network Using Virtual Domains |
US20150092780A1 (en) * | 2012-06-06 | 2015-04-02 | Huawei Technologies Co., Ltd. | Label Distribution Method and Device |
US20150200852A1 (en) * | 2014-01-14 | 2015-07-16 | Palo Alto Research Center Incorporated | Method and apparatus for establishing a virtual interface for a set of mutual-listener devices |
US20150257182A1 (en) * | 2012-11-28 | 2015-09-10 | Huawei Technologies Co., Ltd. | Mobile network communications method, communications apparatus, and communications system |
US20150282041A1 (en) * | 2014-03-31 | 2015-10-01 | Mobile Iron, Inc. | Mobile device traffic splitter |
JP2016005196A (en) * | 2014-06-18 | 2016-01-12 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | Tunnel connection device, communication network, data communication method, and program |
US9276840B2 (en) | 2013-10-30 | 2016-03-01 | Palo Alto Research Center Incorporated | Interest messages with a payload for a named data network |
US9276751B2 (en) | 2014-05-28 | 2016-03-01 | Palo Alto Research Center Incorporated | System and method for circular link resolution with computable hash-based names in content-centric networks |
US9280546B2 (en) | 2012-10-31 | 2016-03-08 | Palo Alto Research Center Incorporated | System and method for accessing digital content using a location-independent name |
US9311377B2 (en) | 2013-11-13 | 2016-04-12 | Palo Alto Research Center Incorporated | Method and apparatus for performing server handoff in a name-based content distribution system |
US20160119228A1 (en) * | 2013-06-24 | 2016-04-28 | Hangzhou H3C Technologies Co., Ltd. | Forwarding packets |
US9363179B2 (en) | 2014-03-26 | 2016-06-07 | Palo Alto Research Center Incorporated | Multi-publisher routing protocol for named data networks |
US9363086B2 (en) | 2014-03-31 | 2016-06-07 | Palo Alto Research Center Incorporated | Aggregate signing of data in content centric networking |
US9374304B2 (en) | 2014-01-24 | 2016-06-21 | Palo Alto Research Center Incorporated | End-to end route tracing over a named-data network |
US9390289B2 (en) | 2014-04-07 | 2016-07-12 | Palo Alto Research Center Incorporated | Secure collection synchronization using matched network names |
US9391777B2 (en) | 2014-08-15 | 2016-07-12 | Palo Alto Research Center Incorporated | System and method for performing key resolution over a content centric network |
US9391896B2 (en) | 2014-03-10 | 2016-07-12 | Palo Alto Research Center Incorporated | System and method for packet forwarding using a conjunctive normal form strategy in a content-centric network |
US9401864B2 (en) | 2013-10-31 | 2016-07-26 | Palo Alto Research Center Incorporated | Express header for packets with hierarchically structured variable-length identifiers |
US9400800B2 (en) | 2012-11-19 | 2016-07-26 | Palo Alto Research Center Incorporated | Data transport by named content synchronization |
US9407549B2 (en) | 2013-10-29 | 2016-08-02 | Palo Alto Research Center Incorporated | System and method for hash-based forwarding of packets with hierarchically structured variable-length identifiers |
US9407432B2 (en) | 2014-03-19 | 2016-08-02 | Palo Alto Research Center Incorporated | System and method for efficient and secure distribution of digital content |
US9426113B2 (en) | 2014-06-30 | 2016-08-23 | Palo Alto Research Center Incorporated | System and method for managing devices over a content centric network |
US9444722B2 (en) | 2013-08-01 | 2016-09-13 | Palo Alto Research Center Incorporated | Method and apparatus for configuring routing paths in a custodian-based routing architecture |
CN105939344A (en) * | 2016-04-18 | 2016-09-14 | 杭州迪普科技有限公司 | TCP (Transmission Control Protocol) connection establishing method and device |
US9451032B2 (en) | 2014-04-10 | 2016-09-20 | Palo Alto Research Center Incorporated | System and method for simple service discovery in content-centric networks |
US9455835B2 (en) | 2014-05-23 | 2016-09-27 | Palo Alto Research Center Incorporated | System and method for circular link resolution with hash-based names in content-centric networks |
US9456054B2 (en) | 2008-05-16 | 2016-09-27 | Palo Alto Research Center Incorporated | Controlling the spread of interests and content in a content centric network |
US9462006B2 (en) | 2015-01-21 | 2016-10-04 | Palo Alto Research Center Incorporated | Network-layer application-specific trust model |
US9467492B2 (en) | 2014-08-19 | 2016-10-11 | Palo Alto Research Center Incorporated | System and method for reconstructable all-in-one content stream |
US9473576B2 (en) | 2014-04-07 | 2016-10-18 | Palo Alto Research Center Incorporated | Service discovery using collection synchronization with exact names |
US9473475B2 (en) | 2014-12-22 | 2016-10-18 | Palo Alto Research Center Incorporated | Low-cost authenticated signing delegation in content centric networking |
US9473405B2 (en) | 2014-03-10 | 2016-10-18 | Palo Alto Research Center Incorporated | Concurrent hashes and sub-hashes on data streams |
US20160308836A1 (en) * | 2015-04-15 | 2016-10-20 | Electronics And Telecommunications Research Institute | Virtual private network security apparatus and operation method thereof |
US9497282B2 (en) | 2014-08-27 | 2016-11-15 | Palo Alto Research Center Incorporated | Network coding for content-centric network |
US9503358B2 (en) | 2013-12-05 | 2016-11-22 | Palo Alto Research Center Incorporated | Distance-based routing in an information-centric network |
US9503365B2 (en) | 2014-08-11 | 2016-11-22 | Palo Alto Research Center Incorporated | Reputation-based instruction processing over an information centric network |
US9516144B2 (en) | 2014-06-19 | 2016-12-06 | Palo Alto Research Center Incorporated | Cut-through forwarding of CCNx message fragments with IP encapsulation |
US9535968B2 (en) | 2014-07-21 | 2017-01-03 | Palo Alto Research Center Incorporated | System for distributing nameless objects using self-certifying names |
US9536059B2 (en) | 2014-12-15 | 2017-01-03 | Palo Alto Research Center Incorporated | Method and system for verifying renamed content using manifests in a content centric network |
US9537719B2 (en) | 2014-06-19 | 2017-01-03 | Palo Alto Research Center Incorporated | Method and apparatus for deploying a minimal-cost CCN topology |
US9552493B2 (en) | 2015-02-03 | 2017-01-24 | Palo Alto Research Center Incorporated | Access control framework for information centric networking |
US9553812B2 (en) | 2014-09-09 | 2017-01-24 | Palo Alto Research Center Incorporated | Interest keep alives at intermediate routers in a CCN |
US9590887B2 (en) | 2014-07-18 | 2017-03-07 | Cisco Systems, Inc. | Method and system for keeping interest alive in a content centric network |
US9590948B2 (en) | 2014-12-15 | 2017-03-07 | Cisco Systems, Inc. | CCN routing using hardware-assisted hash tables |
US9602596B2 (en) | 2015-01-12 | 2017-03-21 | Cisco Systems, Inc. | Peer-to-peer sharing in a content centric network |
US9609014B2 (en) | 2014-05-22 | 2017-03-28 | Cisco Systems, Inc. | Method and apparatus for preventing insertion of malicious content at a named data network router |
US9621354B2 (en) | 2014-07-17 | 2017-04-11 | Cisco Systems, Inc. | Reconstructable content objects |
US9626413B2 (en) | 2014-03-10 | 2017-04-18 | Cisco Systems, Inc. | System and method for ranking content popularity in a content-centric network |
US9641551B1 (en) * | 2013-08-13 | 2017-05-02 | vIPtela Inc. | System and method for traversing a NAT device with IPSEC AH authentication |
US9660825B2 (en) | 2014-12-24 | 2017-05-23 | Cisco Technology, Inc. | System and method for multi-source multicasting in content-centric networks |
US9678998B2 (en) | 2014-02-28 | 2017-06-13 | Cisco Technology, Inc. | Content name resolution for information centric networking |
US20170170987A1 (en) * | 2015-12-10 | 2017-06-15 | Nicira, Inc. | Transport protocol task offload emulation to detect offload segments for communication with a private network |
US9686194B2 (en) | 2009-10-21 | 2017-06-20 | Cisco Technology, Inc. | Adaptive multi-interface use for content networking |
US9699198B2 (en) | 2014-07-07 | 2017-07-04 | Cisco Technology, Inc. | System and method for parallel secure content bootstrapping in content-centric networks |
US9716622B2 (en) | 2014-04-01 | 2017-07-25 | Cisco Technology, Inc. | System and method for dynamic name configuration in content-centric networks |
US9729616B2 (en) | 2014-07-18 | 2017-08-08 | Cisco Technology, Inc. | Reputation-based strategy for forwarding and responding to interests over a content centric network |
US9729662B2 (en) | 2014-08-11 | 2017-08-08 | Cisco Technology, Inc. | Probabilistic lazy-forwarding technique without validation in a content centric network |
US9769067B2 (en) | 2012-06-06 | 2017-09-19 | Huawei Technologies Co., Ltd. | Multiprotocol label switching traffic engineering tunnel establishing method and device |
US9794238B2 (en) | 2015-10-29 | 2017-10-17 | Cisco Technology, Inc. | System for key exchange in a content centric network |
US9800637B2 (en) | 2014-08-19 | 2017-10-24 | Cisco Technology, Inc. | System and method for all-in-one content stream in content-centric networks |
US20170304086A1 (en) * | 2016-04-22 | 2017-10-26 | Rehabilitation Institute of Chicago d/b/a Shireley Ryan AbilityLab | Safety Overload for Direct Skeletal Attachment |
US9807205B2 (en) | 2015-11-02 | 2017-10-31 | Cisco Technology, Inc. | Header compression for CCN messages using dictionary |
US9832116B2 (en) | 2016-03-14 | 2017-11-28 | Cisco Technology, Inc. | Adjusting entries in a forwarding information base in a content centric network |
US9832291B2 (en) | 2015-01-12 | 2017-11-28 | Cisco Technology, Inc. | Auto-configurable transport stack |
US9832123B2 (en) | 2015-09-11 | 2017-11-28 | Cisco Technology, Inc. | Network named fragments in a content centric network |
US9836540B2 (en) | 2014-03-04 | 2017-12-05 | Cisco Technology, Inc. | System and method for direct storage access in a content-centric network |
US9846881B2 (en) | 2014-12-19 | 2017-12-19 | Palo Alto Research Center Incorporated | Frugal user engagement help systems |
US9882964B2 (en) | 2014-08-08 | 2018-01-30 | Cisco Technology, Inc. | Explicit strategy feedback in name-based forwarding |
US9912776B2 (en) | 2015-12-02 | 2018-03-06 | Cisco Technology, Inc. | Explicit content deletion commands in a content centric network |
US9916601B2 (en) | 2014-03-21 | 2018-03-13 | Cisco Technology, Inc. | Marketplace for presenting advertisements in a scalable data broadcasting system |
US9916457B2 (en) | 2015-01-12 | 2018-03-13 | Cisco Technology, Inc. | Decoupled name security binding for CCN objects |
US9930146B2 (en) | 2016-04-04 | 2018-03-27 | Cisco Technology, Inc. | System and method for compressing content centric networking messages |
US9935791B2 (en) | 2013-05-20 | 2018-04-03 | Cisco Technology, Inc. | Method and system for name resolution across heterogeneous architectures |
US9946743B2 (en) | 2015-01-12 | 2018-04-17 | Cisco Technology, Inc. | Order encoded manifests in a content centric network |
US9949301B2 (en) | 2016-01-20 | 2018-04-17 | Palo Alto Research Center Incorporated | Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks |
US9954795B2 (en) | 2015-01-12 | 2018-04-24 | Cisco Technology, Inc. | Resource allocation using CCN manifests |
US9954678B2 (en) | 2014-02-06 | 2018-04-24 | Cisco Technology, Inc. | Content-based transport security |
US9959156B2 (en) | 2014-07-17 | 2018-05-01 | Cisco Technology, Inc. | Interest return control message |
US9977809B2 (en) | 2015-09-24 | 2018-05-22 | Cisco Technology, Inc. | Information and data framework in a content centric network |
US9978025B2 (en) | 2013-03-20 | 2018-05-22 | Cisco Technology, Inc. | Ordered-element naming for name-based packet forwarding |
US9986034B2 (en) | 2015-08-03 | 2018-05-29 | Cisco Technology, Inc. | Transferring state in content centric network stacks |
US9992097B2 (en) | 2016-07-11 | 2018-06-05 | Cisco Technology, Inc. | System and method for piggybacking routing information in interests in a content centric network |
US9992281B2 (en) | 2014-05-01 | 2018-06-05 | Cisco Technology, Inc. | Accountable content stores for information centric networks |
US10003520B2 (en) | 2014-12-22 | 2018-06-19 | Cisco Technology, Inc. | System and method for efficient name-based content routing using link-state information in information-centric networks |
US10003507B2 (en) | 2016-03-04 | 2018-06-19 | Cisco Technology, Inc. | Transport session state protocol |
US10009446B2 (en) | 2015-11-02 | 2018-06-26 | Cisco Technology, Inc. | Header compression for CCN messages using dictionary learning |
US10009266B2 (en) | 2016-07-05 | 2018-06-26 | Cisco Technology, Inc. | Method and system for reference counted pending interest tables in a content centric network |
US10021222B2 (en) | 2015-11-04 | 2018-07-10 | Cisco Technology, Inc. | Bit-aligned header compression for CCN messages using dictionary |
US10027578B2 (en) | 2016-04-11 | 2018-07-17 | Cisco Technology, Inc. | Method and system for routable prefix queries in a content centric network |
US10033639B2 (en) | 2016-03-25 | 2018-07-24 | Cisco Technology, Inc. | System and method for routing packets in a content centric network using anonymous datagrams |
US10033642B2 (en) | 2016-09-19 | 2018-07-24 | Cisco Technology, Inc. | System and method for making optimal routing decisions based on device-specific parameters in a content centric network |
US10038633B2 (en) | 2016-03-04 | 2018-07-31 | Cisco Technology, Inc. | Protocol to query for historical network information in a content centric network |
US10043016B2 (en) | 2016-02-29 | 2018-08-07 | Cisco Technology, Inc. | Method and system for name encryption agreement in a content centric network |
US10051071B2 (en) | 2016-03-04 | 2018-08-14 | Cisco Technology, Inc. | Method and system for collecting historical network information in a content centric network |
US10063414B2 (en) | 2016-05-13 | 2018-08-28 | Cisco Technology, Inc. | Updating a transport stack in a content centric network |
US10067948B2 (en) | 2016-03-18 | 2018-09-04 | Cisco Technology, Inc. | Data deduping in content centric networking manifests |
US10069933B2 (en) | 2014-10-23 | 2018-09-04 | Cisco Technology, Inc. | System and method for creating virtual interfaces based on network characteristics |
US10069729B2 (en) | 2016-08-08 | 2018-09-04 | Cisco Technology, Inc. | System and method for throttling traffic based on a forwarding information base in a content centric network |
US10075521B2 (en) | 2014-04-07 | 2018-09-11 | Cisco Technology, Inc. | Collection synchronization using equality matched network names |
US10075401B2 (en) | 2015-03-18 | 2018-09-11 | Cisco Technology, Inc. | Pending interest table behavior |
US10075402B2 (en) | 2015-06-24 | 2018-09-11 | Cisco Technology, Inc. | Flexible command and control in content centric networks |
US10078062B2 (en) | 2015-12-15 | 2018-09-18 | Palo Alto Research Center Incorporated | Device health estimation by combining contextual information with sensor data |
US10084764B2 (en) | 2016-05-13 | 2018-09-25 | Cisco Technology, Inc. | System for a secure encryption proxy in a content centric network |
US10091330B2 (en) | 2016-03-23 | 2018-10-02 | Cisco Technology, Inc. | Interest scheduling by an information and data framework in a content centric network |
US10089655B2 (en) | 2013-11-27 | 2018-10-02 | Cisco Technology, Inc. | Method and apparatus for scalable data broadcasting |
US10089651B2 (en) | 2014-03-03 | 2018-10-02 | Cisco Technology, Inc. | Method and apparatus for streaming advertisements in a scalable data broadcasting system |
US10098051B2 (en) | 2014-01-22 | 2018-10-09 | Cisco Technology, Inc. | Gateways and routing in software-defined manets |
US10097346B2 (en) | 2015-12-09 | 2018-10-09 | Cisco Technology, Inc. | Key catalogs in a content centric network |
US10097521B2 (en) | 2015-11-20 | 2018-10-09 | Cisco Technology, Inc. | Transparent encryption in a content centric network |
US10101801B2 (en) | 2013-11-13 | 2018-10-16 | Cisco Technology, Inc. | Method and apparatus for prefetching content in a data stream |
US10103989B2 (en) | 2016-06-13 | 2018-10-16 | Cisco Technology, Inc. | Content object return messages in a content centric network |
US10116605B2 (en) | 2015-06-22 | 2018-10-30 | Cisco Technology, Inc. | Transport stack name scheme and identity management |
US10122624B2 (en) | 2016-07-25 | 2018-11-06 | Cisco Technology, Inc. | System and method for ephemeral entries in a forwarding information base in a content centric network |
US10129365B2 (en) | 2013-11-13 | 2018-11-13 | Cisco Technology, Inc. | Method and apparatus for pre-fetching remote content based on static and dynamic recommendations |
US10135948B2 (en) | 2016-10-31 | 2018-11-20 | Cisco Technology, Inc. | System and method for process migration in a content centric network |
US10148572B2 (en) | 2016-06-27 | 2018-12-04 | Cisco Technology, Inc. | Method and system for interest groups in a content centric network |
US10172068B2 (en) | 2014-01-22 | 2019-01-01 | Cisco Technology, Inc. | Service-oriented routing in software-defined MANETs |
US10204013B2 (en) | 2014-09-03 | 2019-02-12 | Cisco Technology, Inc. | System and method for maintaining a distributed and fault-tolerant state over an information centric network |
US10212248B2 (en) | 2016-10-03 | 2019-02-19 | Cisco Technology, Inc. | Cache management on high availability routers in a content centric network |
US10212196B2 (en) | 2016-03-16 | 2019-02-19 | Cisco Technology, Inc. | Interface discovery and authentication in a name-based network |
US10237189B2 (en) | 2014-12-16 | 2019-03-19 | Cisco Technology, Inc. | System and method for distance-based interest forwarding |
US10243851B2 (en) | 2016-11-21 | 2019-03-26 | Cisco Technology, Inc. | System and method for forwarder connection information in a content centric network |
US20190104409A1 (en) * | 2017-10-03 | 2019-04-04 | Citrix Systems, Inc. | Location/things aware cloud services delivery solution |
US10257271B2 (en) | 2016-01-11 | 2019-04-09 | Cisco Technology, Inc. | Chandra-Toueg consensus in a content centric network |
US10263965B2 (en) | 2015-10-16 | 2019-04-16 | Cisco Technology, Inc. | Encrypted CCNx |
US10305865B2 (en) | 2016-06-21 | 2019-05-28 | Cisco Technology, Inc. | Permutation-based content encryption with manifests in a content centric network |
US10305864B2 (en) | 2016-01-25 | 2019-05-28 | Cisco Technology, Inc. | Method and system for interest encryption in a content centric network |
US10313227B2 (en) | 2015-09-24 | 2019-06-04 | Cisco Technology, Inc. | System and method for eliminating undetected interest looping in information-centric networks |
US10320675B2 (en) | 2016-05-04 | 2019-06-11 | Cisco Technology, Inc. | System and method for routing packets in a stateless content centric network |
US10320760B2 (en) | 2016-04-01 | 2019-06-11 | Cisco Technology, Inc. | Method and system for mutating and caching content in a content centric network |
US10333840B2 (en) | 2015-02-06 | 2019-06-25 | Cisco Technology, Inc. | System and method for on-demand content exchange with adaptive naming in information-centric networks |
US10355999B2 (en) | 2015-09-23 | 2019-07-16 | Cisco Technology, Inc. | Flow control with network named fragments |
US10404450B2 (en) | 2016-05-02 | 2019-09-03 | Cisco Technology, Inc. | Schematized access control in a content centric network |
US10425384B1 (en) * | 2013-12-31 | 2019-09-24 | Open Invention Network Llc | Optimizing connections over virtual private networks |
US10425503B2 (en) | 2016-04-07 | 2019-09-24 | Cisco Technology, Inc. | Shared pending interest table in a content centric network |
US10430839B2 (en) | 2012-12-12 | 2019-10-01 | Cisco Technology, Inc. | Distributed advertisement insertion in content-centric networks |
US10447805B2 (en) | 2016-10-10 | 2019-10-15 | Cisco Technology, Inc. | Distributed consensus in a content centric network |
US10454820B2 (en) | 2015-09-29 | 2019-10-22 | Cisco Technology, Inc. | System and method for stateless information-centric networking |
US10469262B1 (en) | 2016-01-27 | 2019-11-05 | Verizon Patent ad Licensing Inc. | Methods and systems for network security using a cryptographic firewall |
US10496972B1 (en) * | 2014-09-09 | 2019-12-03 | VCE IP Holding Company LLC | Methods and systems for virtual secured transactions |
US10547589B2 (en) | 2016-05-09 | 2020-01-28 | Cisco Technology, Inc. | System for implementing a small computer systems interface protocol over a content centric network |
US10554480B2 (en) | 2017-05-11 | 2020-02-04 | Verizon Patent And Licensing Inc. | Systems and methods for maintaining communication links |
US10610144B2 (en) | 2015-08-19 | 2020-04-07 | Palo Alto Research Center Incorporated | Interactive remote patient monitoring and condition management intervention system |
US10701038B2 (en) | 2015-07-27 | 2020-06-30 | Cisco Technology, Inc. | Content negotiation in a content centric network |
US10742596B2 (en) | 2016-03-04 | 2020-08-11 | Cisco Technology, Inc. | Method and system for reducing a collision probability of hash-based names using a publisher identifier |
US20210083902A1 (en) * | 2018-06-01 | 2021-03-18 | Huawei Technologies Co., Ltd. | Method for Managing Virtual Private Network, and Device |
US10956412B2 (en) | 2016-08-09 | 2021-03-23 | Cisco Technology, Inc. | Method and system for conjunctive normal form attribute matching in a content centric network |
CN113542094A (en) * | 2021-06-07 | 2021-10-22 | 新华三信息安全技术有限公司 | Access right control method and device |
CN113595847A (en) * | 2021-07-21 | 2021-11-02 | 上海淇玥信息技术有限公司 | Remote access method, system, device and medium |
US20220141191A1 (en) * | 2020-11-02 | 2022-05-05 | Pango, Inc. | Secure distribution of configuration to facilitate a privacy-preserving virtual private network system |
CN114640485A (en) * | 2020-12-01 | 2022-06-17 | 中移(苏州)软件技术有限公司 | Centralized access method, device, equipment and storage medium for service data |
US11436656B2 (en) | 2016-03-18 | 2022-09-06 | Palo Alto Research Center Incorporated | System and method for a real-time egocentric collaborative filter on large datasets |
US11722390B2 (en) * | 2014-05-09 | 2023-08-08 | Amazon Technologies, Inc. | Establishing secured connections between premises outside a provider network |
US11799988B2 (en) | 2022-03-21 | 2023-10-24 | Vmware, Inc. | User datagram protocol segmentation offload for virtual machines |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8615014B2 (en) * | 2010-03-03 | 2013-12-24 | Iwebgate Technology Limited | System and method for multiple concurrent virtual networks |
CN101964800B (en) * | 2010-10-21 | 2015-04-22 | 神州数码网络(北京)有限公司 | Method for authenticating digital certificate user in SSL VPN |
CN102082738A (en) * | 2011-03-10 | 2011-06-01 | 迈普通信技术股份有限公司 | Method for extending MPLS VPN access through public network and PE equipment |
CN102231702B (en) * | 2011-06-23 | 2014-10-22 | 中国人民解放军国防科学技术大学 | Method and system for end-to-end communication across identification network of common network |
CN103379009B (en) * | 2012-04-20 | 2017-02-15 | 南京易安联网络技术有限公司 | SSL VPN communication method based on data link layers |
CN102664972B (en) * | 2012-05-11 | 2015-04-08 | 中科方德软件有限公司 | Method and device for mapping address in virtual network |
CN102843437A (en) * | 2012-09-17 | 2012-12-26 | 北京星网锐捷网络技术有限公司 | Conversion method and device for webpage application and network device |
CN103051499B (en) * | 2012-12-31 | 2015-11-25 | 华为技术有限公司 | A kind of method and apparatus of detection messages |
CN104144157B (en) * | 2013-05-10 | 2019-04-23 | 中兴通讯股份有限公司 | A kind of TCP session establishing method, device, multihome node and satellite node |
CN103973694B (en) * | 2014-05-14 | 2017-05-10 | 北京太一星晨信息技术有限公司 | Method and interface device for access of secure socket layer protocol entity to discontinuous internal storage |
CN105634904B (en) * | 2016-01-19 | 2019-02-19 | 深圳前海达闼云端智能科技有限公司 | SSLVPN proxy method, server, client and processing method thereof |
CN106411735B (en) * | 2016-10-18 | 2019-10-11 | 新华三技术有限公司 | A kind of method for configuring route and device |
CN106549849B (en) * | 2016-10-27 | 2019-08-06 | 杭州迪普科技股份有限公司 | The processing method and processing device of message |
CN106878133B (en) * | 2016-12-15 | 2019-11-08 | 新华三技术有限公司 | Message forwarding method and device |
CN108234253A (en) * | 2016-12-21 | 2018-06-29 | 中兴通讯股份有限公司 | The management method and message forwarding method of BRAS, message transmitting controller and BRAS |
CN106888145B (en) * | 2017-03-17 | 2019-11-12 | 新华三技术有限公司 | A kind of VPN resource access method and device |
CN107171857B (en) * | 2017-06-21 | 2021-04-27 | 杭州迪普科技股份有限公司 | Network virtualization method and device based on user group |
CN107426100B (en) * | 2017-08-29 | 2020-10-02 | 杭州迪普科技股份有限公司 | VPN user access method and device based on user group |
CN107659482B (en) * | 2017-09-30 | 2020-11-06 | 北京奇虎科技有限公司 | Method and device for transmitting data based on virtual private network |
CN108337148B (en) * | 2018-02-07 | 2019-10-18 | 北京百度网讯科技有限公司 | For obtaining the method and device of information |
CN108632126B (en) * | 2018-04-26 | 2020-12-08 | 新华三技术有限公司 | Message forwarding channel establishing method and device and message forwarding method and device |
CN108768861B (en) * | 2018-06-29 | 2021-01-08 | 新华三信息安全技术有限公司 | Method and device for sending service message |
CN109347790B (en) * | 2018-08-30 | 2021-04-09 | 南瑞集团有限公司 | Security attack test system and test method for electric power MPLS VPN network |
CN109474713B (en) * | 2018-11-13 | 2021-12-24 | 杭州数梦工场科技有限公司 | Message forwarding method and device |
CN110278181B (en) * | 2019-01-29 | 2021-09-17 | 广州金越软件技术有限公司 | Instant protocol conversion system for cross-network data exchange |
CN109981640B (en) * | 2019-03-25 | 2021-07-23 | 新华三技术有限公司 | Connection establishment method and device |
CN111147340A (en) * | 2019-12-26 | 2020-05-12 | 山东超越数控电子股份有限公司 | Method, equipment and medium for carrying out networked access on CAN bus interface |
CN113645116B (en) * | 2021-06-21 | 2023-04-07 | 广西电网有限责任公司 | MPLSVPN automatic opening method and device |
CN113726737A (en) * | 2021-07-26 | 2021-11-30 | 绿盟科技集团股份有限公司 | Communication method, device and medium |
US11888869B2 (en) | 2021-09-02 | 2024-01-30 | Saudi Arabian Oil Company | System and method for securing network users in an enterprise network through cybersecurity controls |
US11356419B1 (en) | 2021-10-01 | 2022-06-07 | Oversec, Uab | System and method for retrieving aggregated information about virtual private network servers |
CN116708288A (en) * | 2022-02-28 | 2023-09-05 | 中兴通讯股份有限公司 | Network scheduling method, network device and readable storage medium |
CN115361605B (en) * | 2022-10-20 | 2023-03-24 | 武汉长光科技有限公司 | Method, device, equipment and computer readable storage medium for roaming in virtual domain |
CN116248595B (en) * | 2023-03-15 | 2024-02-02 | 安超云软件有限公司 | Method, device, equipment and medium for communication between cloud intranet and physical network |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7039687B1 (en) * | 1998-08-07 | 2006-05-02 | Nortel Networks Limited | Multi-protocol label switching virtual private networks |
US20070140250A1 (en) * | 2005-12-21 | 2007-06-21 | Solace Systems, Inc. | Shared application inter-working with virtual private networks |
US20080034416A1 (en) * | 2006-08-03 | 2008-02-07 | Arkesh Kumar | Methods and systems for routing packets in a vpn-client-to-vpn-client connection via an ssl/vpn network appliance |
US20080225852A1 (en) * | 2007-03-15 | 2008-09-18 | Robert Raszuk | Methods and apparatus providing two stage tunneling |
US20080263209A1 (en) * | 2007-04-20 | 2008-10-23 | Array Networks, Inc. | Active-active operation for a cluster of SSL virtual private network (VPN) devices with load distribution |
US20100043068A1 (en) * | 2008-08-14 | 2010-02-18 | Juniper Networks, Inc. | Routing device having integrated mpls-aware firewall |
US7817668B2 (en) * | 2005-06-29 | 2010-10-19 | Ntt Docomo, Inc. | Communication terminal device and communications method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1183726C (en) * | 2002-08-05 | 2005-01-05 | 华为技术有限公司 | Network organizing method based on multi protocol label exchange virtual private network |
CN100393062C (en) * | 2005-05-12 | 2008-06-04 | 中兴通讯股份有限公司 | Method for core network access to multi-protocol sign exchange virtual special network |
CN101355557B (en) * | 2008-09-05 | 2011-06-22 | 杭州华三通信技术有限公司 | Method and system for implementing network access control in MPLS/VPN network |
-
2009
- 2009-07-15 CN CN2009100889861A patent/CN101599901B/en active Active
-
2010
- 2010-07-14 US US12/836,439 patent/US8274967B2/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7039687B1 (en) * | 1998-08-07 | 2006-05-02 | Nortel Networks Limited | Multi-protocol label switching virtual private networks |
US7817668B2 (en) * | 2005-06-29 | 2010-10-19 | Ntt Docomo, Inc. | Communication terminal device and communications method |
US20070140250A1 (en) * | 2005-12-21 | 2007-06-21 | Solace Systems, Inc. | Shared application inter-working with virtual private networks |
US20080034416A1 (en) * | 2006-08-03 | 2008-02-07 | Arkesh Kumar | Methods and systems for routing packets in a vpn-client-to-vpn-client connection via an ssl/vpn network appliance |
US20080225852A1 (en) * | 2007-03-15 | 2008-09-18 | Robert Raszuk | Methods and apparatus providing two stage tunneling |
US20080263209A1 (en) * | 2007-04-20 | 2008-10-23 | Array Networks, Inc. | Active-active operation for a cluster of SSL virtual private network (VPN) devices with load distribution |
US20100043068A1 (en) * | 2008-08-14 | 2010-02-18 | Juniper Networks, Inc. | Routing device having integrated mpls-aware firewall |
Cited By (209)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9456054B2 (en) | 2008-05-16 | 2016-09-27 | Palo Alto Research Center Incorporated | Controlling the spread of interests and content in a content centric network |
US10104041B2 (en) | 2008-05-16 | 2018-10-16 | Cisco Technology, Inc. | Controlling the spread of interests and content in a content centric network |
US9686194B2 (en) | 2009-10-21 | 2017-06-20 | Cisco Technology, Inc. | Adaptive multi-interface use for content networking |
US20110191442A1 (en) * | 2010-01-29 | 2011-08-04 | Michael Ovsiannikov | Systems and methods of using ssl pools for wan acceleration |
US9479480B2 (en) * | 2010-01-29 | 2016-10-25 | Citrix Systems, Inc. | Systems and methods of using SSL pools for WAN acceleration |
US9667483B2 (en) * | 2010-12-23 | 2017-05-30 | Koninklijke Kpn N.V. | Method, gateway device and network system for configuring a device in a local area network |
US20130265910A1 (en) * | 2010-12-23 | 2013-10-10 | Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno | Method, Gateway Device and Network System for Configuring a Device in a Local Area Network |
US10432514B2 (en) | 2012-06-06 | 2019-10-01 | Huawei Technologies Co., Ltd. | Multiprotocol label switching traffic engineering tunnel establishing method and device |
US20150092780A1 (en) * | 2012-06-06 | 2015-04-02 | Huawei Technologies Co., Ltd. | Label Distribution Method and Device |
US9893986B2 (en) * | 2012-06-06 | 2018-02-13 | Huawei Technologies Co., Ltd. | Label distribution method and device |
US9769067B2 (en) | 2012-06-06 | 2017-09-19 | Huawei Technologies Co., Ltd. | Multiprotocol label switching traffic engineering tunnel establishing method and device |
US10554542B2 (en) * | 2012-06-06 | 2020-02-04 | Huawei Technologies Co., Ltd. | Label distribution method and device |
US20180109448A1 (en) * | 2012-06-06 | 2018-04-19 | Huawei Technologies Co., Ltd. | Label Distribution Method and Device |
US9280546B2 (en) | 2012-10-31 | 2016-03-08 | Palo Alto Research Center Incorporated | System and method for accessing digital content using a location-independent name |
US9400800B2 (en) | 2012-11-19 | 2016-07-26 | Palo Alto Research Center Incorporated | Data transport by named content synchronization |
US20150257182A1 (en) * | 2012-11-28 | 2015-09-10 | Huawei Technologies Co., Ltd. | Mobile network communications method, communications apparatus, and communications system |
US9788353B2 (en) * | 2012-11-28 | 2017-10-10 | Huawei Technologies Co., Ltd. | Mobile network communications method, communications apparatus, and communications system |
US10430839B2 (en) | 2012-12-12 | 2019-10-01 | Cisco Technology, Inc. | Distributed advertisement insertion in content-centric networks |
US9942274B2 (en) | 2013-02-01 | 2018-04-10 | Vidder, Inc. | Securing communication over a network using client integrity verification |
US20150237035A1 (en) * | 2013-02-01 | 2015-08-20 | Vidder, Inc. | Securing Organizational Computing Assets over a Network Using Virtual Domains |
US10652226B2 (en) | 2013-02-01 | 2020-05-12 | Verizon Patent And Licensing Inc. | Securing communication over a network using dynamically assigned proxy servers |
US9065856B2 (en) | 2013-02-01 | 2015-06-23 | Vidder, Inc. | Securing communication over a network using client system authorization and dynamically assigned proxy servers |
US9692743B2 (en) * | 2013-02-01 | 2017-06-27 | Vidder, Inc. | Securing organizational computing assets over a network using virtual domains |
US9398050B2 (en) | 2013-02-01 | 2016-07-19 | Vidder, Inc. | Dynamically configured connection to a trust broker |
US9282120B2 (en) | 2013-02-01 | 2016-03-08 | Vidder, Inc. | Securing communication over a network using client integrity verification |
US9648044B2 (en) | 2013-02-01 | 2017-05-09 | Vidder, Inc. | Securing communication over a network using client system authorization and dynamically assigned proxy servers |
US9027086B2 (en) * | 2013-02-01 | 2015-05-05 | Vidder, Inc. | Securing organizational computing assets over a network using virtual domains |
US20140223515A1 (en) * | 2013-02-01 | 2014-08-07 | Junaid Islam | Securing Organizational Computing Assets over a Network Using Virtual Domains |
US9978025B2 (en) | 2013-03-20 | 2018-05-22 | Cisco Technology, Inc. | Ordered-element naming for name-based packet forwarding |
US9935791B2 (en) | 2013-05-20 | 2018-04-03 | Cisco Technology, Inc. | Method and system for name resolution across heterogeneous architectures |
US20160119228A1 (en) * | 2013-06-24 | 2016-04-28 | Hangzhou H3C Technologies Co., Ltd. | Forwarding packets |
US9444722B2 (en) | 2013-08-01 | 2016-09-13 | Palo Alto Research Center Incorporated | Method and apparatus for configuring routing paths in a custodian-based routing architecture |
US10333919B2 (en) | 2013-08-13 | 2019-06-25 | Cisco Technology, Inc. | System and method for traversing a NAT device with IPSec AH authentication |
US9942216B2 (en) | 2013-08-13 | 2018-04-10 | vIPtela Inc. | System and method for traversing a NAT device with IPSec AH authentication |
US9641551B1 (en) * | 2013-08-13 | 2017-05-02 | vIPtela Inc. | System and method for traversing a NAT device with IPSEC AH authentication |
US9407549B2 (en) | 2013-10-29 | 2016-08-02 | Palo Alto Research Center Incorporated | System and method for hash-based forwarding of packets with hierarchically structured variable-length identifiers |
US9276840B2 (en) | 2013-10-30 | 2016-03-01 | Palo Alto Research Center Incorporated | Interest messages with a payload for a named data network |
US9401864B2 (en) | 2013-10-31 | 2016-07-26 | Palo Alto Research Center Incorporated | Express header for packets with hierarchically structured variable-length identifiers |
US10129365B2 (en) | 2013-11-13 | 2018-11-13 | Cisco Technology, Inc. | Method and apparatus for pre-fetching remote content based on static and dynamic recommendations |
US10101801B2 (en) | 2013-11-13 | 2018-10-16 | Cisco Technology, Inc. | Method and apparatus for prefetching content in a data stream |
US9311377B2 (en) | 2013-11-13 | 2016-04-12 | Palo Alto Research Center Incorporated | Method and apparatus for performing server handoff in a name-based content distribution system |
US10089655B2 (en) | 2013-11-27 | 2018-10-02 | Cisco Technology, Inc. | Method and apparatus for scalable data broadcasting |
US9503358B2 (en) | 2013-12-05 | 2016-11-22 | Palo Alto Research Center Incorporated | Distance-based routing in an information-centric network |
US10425384B1 (en) * | 2013-12-31 | 2019-09-24 | Open Invention Network Llc | Optimizing connections over virtual private networks |
US11005817B1 (en) | 2013-12-31 | 2021-05-11 | Open Invention Network Llc | Optimizing connections over virtual private networks |
US9379979B2 (en) * | 2014-01-14 | 2016-06-28 | Palo Alto Research Center Incorporated | Method and apparatus for establishing a virtual interface for a set of mutual-listener devices |
US20150200852A1 (en) * | 2014-01-14 | 2015-07-16 | Palo Alto Research Center Incorporated | Method and apparatus for establishing a virtual interface for a set of mutual-listener devices |
US10172068B2 (en) | 2014-01-22 | 2019-01-01 | Cisco Technology, Inc. | Service-oriented routing in software-defined MANETs |
US10098051B2 (en) | 2014-01-22 | 2018-10-09 | Cisco Technology, Inc. | Gateways and routing in software-defined manets |
US9374304B2 (en) | 2014-01-24 | 2016-06-21 | Palo Alto Research Center Incorporated | End-to end route tracing over a named-data network |
US9954678B2 (en) | 2014-02-06 | 2018-04-24 | Cisco Technology, Inc. | Content-based transport security |
US9678998B2 (en) | 2014-02-28 | 2017-06-13 | Cisco Technology, Inc. | Content name resolution for information centric networking |
US10706029B2 (en) | 2014-02-28 | 2020-07-07 | Cisco Technology, Inc. | Content name resolution for information centric networking |
US10089651B2 (en) | 2014-03-03 | 2018-10-02 | Cisco Technology, Inc. | Method and apparatus for streaming advertisements in a scalable data broadcasting system |
US9836540B2 (en) | 2014-03-04 | 2017-12-05 | Cisco Technology, Inc. | System and method for direct storage access in a content-centric network |
US10445380B2 (en) | 2014-03-04 | 2019-10-15 | Cisco Technology, Inc. | System and method for direct storage access in a content-centric network |
US9626413B2 (en) | 2014-03-10 | 2017-04-18 | Cisco Systems, Inc. | System and method for ranking content popularity in a content-centric network |
US9391896B2 (en) | 2014-03-10 | 2016-07-12 | Palo Alto Research Center Incorporated | System and method for packet forwarding using a conjunctive normal form strategy in a content-centric network |
US9473405B2 (en) | 2014-03-10 | 2016-10-18 | Palo Alto Research Center Incorporated | Concurrent hashes and sub-hashes on data streams |
US9407432B2 (en) | 2014-03-19 | 2016-08-02 | Palo Alto Research Center Incorporated | System and method for efficient and secure distribution of digital content |
US9916601B2 (en) | 2014-03-21 | 2018-03-13 | Cisco Technology, Inc. | Marketplace for presenting advertisements in a scalable data broadcasting system |
US9363179B2 (en) | 2014-03-26 | 2016-06-07 | Palo Alto Research Center Incorporated | Multi-publisher routing protocol for named data networks |
US10595205B2 (en) | 2014-03-31 | 2020-03-17 | Mobile Iron, Inc. | Mobile device traffic splitter |
US9363086B2 (en) | 2014-03-31 | 2016-06-07 | Palo Alto Research Center Incorporated | Aggregate signing of data in content centric networking |
US9854443B2 (en) * | 2014-03-31 | 2017-12-26 | Mobile Iron, Inc. | Mobile device traffic splitter |
US20150282041A1 (en) * | 2014-03-31 | 2015-10-01 | Mobile Iron, Inc. | Mobile device traffic splitter |
US9716622B2 (en) | 2014-04-01 | 2017-07-25 | Cisco Technology, Inc. | System and method for dynamic name configuration in content-centric networks |
US9390289B2 (en) | 2014-04-07 | 2016-07-12 | Palo Alto Research Center Incorporated | Secure collection synchronization using matched network names |
US10075521B2 (en) | 2014-04-07 | 2018-09-11 | Cisco Technology, Inc. | Collection synchronization using equality matched network names |
US9473576B2 (en) | 2014-04-07 | 2016-10-18 | Palo Alto Research Center Incorporated | Service discovery using collection synchronization with exact names |
US9451032B2 (en) | 2014-04-10 | 2016-09-20 | Palo Alto Research Center Incorporated | System and method for simple service discovery in content-centric networks |
US9992281B2 (en) | 2014-05-01 | 2018-06-05 | Cisco Technology, Inc. | Accountable content stores for information centric networks |
US11722390B2 (en) * | 2014-05-09 | 2023-08-08 | Amazon Technologies, Inc. | Establishing secured connections between premises outside a provider network |
US10158656B2 (en) | 2014-05-22 | 2018-12-18 | Cisco Technology, Inc. | Method and apparatus for preventing insertion of malicious content at a named data network router |
US9609014B2 (en) | 2014-05-22 | 2017-03-28 | Cisco Systems, Inc. | Method and apparatus for preventing insertion of malicious content at a named data network router |
US9455835B2 (en) | 2014-05-23 | 2016-09-27 | Palo Alto Research Center Incorporated | System and method for circular link resolution with hash-based names in content-centric networks |
US9276751B2 (en) | 2014-05-28 | 2016-03-01 | Palo Alto Research Center Incorporated | System and method for circular link resolution with computable hash-based names in content-centric networks |
JP2016005196A (en) * | 2014-06-18 | 2016-01-12 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | Tunnel connection device, communication network, data communication method, and program |
US9516144B2 (en) | 2014-06-19 | 2016-12-06 | Palo Alto Research Center Incorporated | Cut-through forwarding of CCNx message fragments with IP encapsulation |
US9537719B2 (en) | 2014-06-19 | 2017-01-03 | Palo Alto Research Center Incorporated | Method and apparatus for deploying a minimal-cost CCN topology |
US9426113B2 (en) | 2014-06-30 | 2016-08-23 | Palo Alto Research Center Incorporated | System and method for managing devices over a content centric network |
US9699198B2 (en) | 2014-07-07 | 2017-07-04 | Cisco Technology, Inc. | System and method for parallel secure content bootstrapping in content-centric networks |
US9621354B2 (en) | 2014-07-17 | 2017-04-11 | Cisco Systems, Inc. | Reconstructable content objects |
US10237075B2 (en) | 2014-07-17 | 2019-03-19 | Cisco Technology, Inc. | Reconstructable content objects |
US9959156B2 (en) | 2014-07-17 | 2018-05-01 | Cisco Technology, Inc. | Interest return control message |
US9729616B2 (en) | 2014-07-18 | 2017-08-08 | Cisco Technology, Inc. | Reputation-based strategy for forwarding and responding to interests over a content centric network |
US9929935B2 (en) | 2014-07-18 | 2018-03-27 | Cisco Technology, Inc. | Method and system for keeping interest alive in a content centric network |
US9590887B2 (en) | 2014-07-18 | 2017-03-07 | Cisco Systems, Inc. | Method and system for keeping interest alive in a content centric network |
US10305968B2 (en) | 2014-07-18 | 2019-05-28 | Cisco Technology, Inc. | Reputation-based strategy for forwarding and responding to interests over a content centric network |
US9535968B2 (en) | 2014-07-21 | 2017-01-03 | Palo Alto Research Center Incorporated | System for distributing nameless objects using self-certifying names |
US9882964B2 (en) | 2014-08-08 | 2018-01-30 | Cisco Technology, Inc. | Explicit strategy feedback in name-based forwarding |
US9503365B2 (en) | 2014-08-11 | 2016-11-22 | Palo Alto Research Center Incorporated | Reputation-based instruction processing over an information centric network |
US9729662B2 (en) | 2014-08-11 | 2017-08-08 | Cisco Technology, Inc. | Probabilistic lazy-forwarding technique without validation in a content centric network |
US9391777B2 (en) | 2014-08-15 | 2016-07-12 | Palo Alto Research Center Incorporated | System and method for performing key resolution over a content centric network |
US9800637B2 (en) | 2014-08-19 | 2017-10-24 | Cisco Technology, Inc. | System and method for all-in-one content stream in content-centric networks |
US9467492B2 (en) | 2014-08-19 | 2016-10-11 | Palo Alto Research Center Incorporated | System and method for reconstructable all-in-one content stream |
US10367871B2 (en) | 2014-08-19 | 2019-07-30 | Cisco Technology, Inc. | System and method for all-in-one content stream in content-centric networks |
US9497282B2 (en) | 2014-08-27 | 2016-11-15 | Palo Alto Research Center Incorporated | Network coding for content-centric network |
US10204013B2 (en) | 2014-09-03 | 2019-02-12 | Cisco Technology, Inc. | System and method for maintaining a distributed and fault-tolerant state over an information centric network |
US11314597B2 (en) | 2014-09-03 | 2022-04-26 | Cisco Technology, Inc. | System and method for maintaining a distributed and fault-tolerant state over an information centric network |
US10496972B1 (en) * | 2014-09-09 | 2019-12-03 | VCE IP Holding Company LLC | Methods and systems for virtual secured transactions |
US9553812B2 (en) | 2014-09-09 | 2017-01-24 | Palo Alto Research Center Incorporated | Interest keep alives at intermediate routers in a CCN |
US10069933B2 (en) | 2014-10-23 | 2018-09-04 | Cisco Technology, Inc. | System and method for creating virtual interfaces based on network characteristics |
US10715634B2 (en) | 2014-10-23 | 2020-07-14 | Cisco Technology, Inc. | System and method for creating virtual interfaces based on network characteristics |
US9536059B2 (en) | 2014-12-15 | 2017-01-03 | Palo Alto Research Center Incorporated | Method and system for verifying renamed content using manifests in a content centric network |
US9590948B2 (en) | 2014-12-15 | 2017-03-07 | Cisco Systems, Inc. | CCN routing using hardware-assisted hash tables |
US10237189B2 (en) | 2014-12-16 | 2019-03-19 | Cisco Technology, Inc. | System and method for distance-based interest forwarding |
US9846881B2 (en) | 2014-12-19 | 2017-12-19 | Palo Alto Research Center Incorporated | Frugal user engagement help systems |
US10003520B2 (en) | 2014-12-22 | 2018-06-19 | Cisco Technology, Inc. | System and method for efficient name-based content routing using link-state information in information-centric networks |
US9473475B2 (en) | 2014-12-22 | 2016-10-18 | Palo Alto Research Center Incorporated | Low-cost authenticated signing delegation in content centric networking |
US9660825B2 (en) | 2014-12-24 | 2017-05-23 | Cisco Technology, Inc. | System and method for multi-source multicasting in content-centric networks |
US10091012B2 (en) | 2014-12-24 | 2018-10-02 | Cisco Technology, Inc. | System and method for multi-source multicasting in content-centric networks |
US9602596B2 (en) | 2015-01-12 | 2017-03-21 | Cisco Systems, Inc. | Peer-to-peer sharing in a content centric network |
US10440161B2 (en) | 2015-01-12 | 2019-10-08 | Cisco Technology, Inc. | Auto-configurable transport stack |
US9832291B2 (en) | 2015-01-12 | 2017-11-28 | Cisco Technology, Inc. | Auto-configurable transport stack |
US9946743B2 (en) | 2015-01-12 | 2018-04-17 | Cisco Technology, Inc. | Order encoded manifests in a content centric network |
US9954795B2 (en) | 2015-01-12 | 2018-04-24 | Cisco Technology, Inc. | Resource allocation using CCN manifests |
US9916457B2 (en) | 2015-01-12 | 2018-03-13 | Cisco Technology, Inc. | Decoupled name security binding for CCN objects |
US9462006B2 (en) | 2015-01-21 | 2016-10-04 | Palo Alto Research Center Incorporated | Network-layer application-specific trust model |
US9552493B2 (en) | 2015-02-03 | 2017-01-24 | Palo Alto Research Center Incorporated | Access control framework for information centric networking |
US10333840B2 (en) | 2015-02-06 | 2019-06-25 | Cisco Technology, Inc. | System and method for on-demand content exchange with adaptive naming in information-centric networks |
US10075401B2 (en) | 2015-03-18 | 2018-09-11 | Cisco Technology, Inc. | Pending interest table behavior |
US20160308836A1 (en) * | 2015-04-15 | 2016-10-20 | Electronics And Telecommunications Research Institute | Virtual private network security apparatus and operation method thereof |
US10116605B2 (en) | 2015-06-22 | 2018-10-30 | Cisco Technology, Inc. | Transport stack name scheme and identity management |
US10075402B2 (en) | 2015-06-24 | 2018-09-11 | Cisco Technology, Inc. | Flexible command and control in content centric networks |
US10701038B2 (en) | 2015-07-27 | 2020-06-30 | Cisco Technology, Inc. | Content negotiation in a content centric network |
US9986034B2 (en) | 2015-08-03 | 2018-05-29 | Cisco Technology, Inc. | Transferring state in content centric network stacks |
US10610144B2 (en) | 2015-08-19 | 2020-04-07 | Palo Alto Research Center Incorporated | Interactive remote patient monitoring and condition management intervention system |
US9832123B2 (en) | 2015-09-11 | 2017-11-28 | Cisco Technology, Inc. | Network named fragments in a content centric network |
US10419345B2 (en) | 2015-09-11 | 2019-09-17 | Cisco Technology, Inc. | Network named fragments in a content centric network |
US10355999B2 (en) | 2015-09-23 | 2019-07-16 | Cisco Technology, Inc. | Flow control with network named fragments |
US10313227B2 (en) | 2015-09-24 | 2019-06-04 | Cisco Technology, Inc. | System and method for eliminating undetected interest looping in information-centric networks |
US9977809B2 (en) | 2015-09-24 | 2018-05-22 | Cisco Technology, Inc. | Information and data framework in a content centric network |
US10454820B2 (en) | 2015-09-29 | 2019-10-22 | Cisco Technology, Inc. | System and method for stateless information-centric networking |
US10263965B2 (en) | 2015-10-16 | 2019-04-16 | Cisco Technology, Inc. | Encrypted CCNx |
US10129230B2 (en) | 2015-10-29 | 2018-11-13 | Cisco Technology, Inc. | System for key exchange in a content centric network |
US9794238B2 (en) | 2015-10-29 | 2017-10-17 | Cisco Technology, Inc. | System for key exchange in a content centric network |
US9807205B2 (en) | 2015-11-02 | 2017-10-31 | Cisco Technology, Inc. | Header compression for CCN messages using dictionary |
US10009446B2 (en) | 2015-11-02 | 2018-06-26 | Cisco Technology, Inc. | Header compression for CCN messages using dictionary learning |
US10021222B2 (en) | 2015-11-04 | 2018-07-10 | Cisco Technology, Inc. | Bit-aligned header compression for CCN messages using dictionary |
US10681018B2 (en) | 2015-11-20 | 2020-06-09 | Cisco Technology, Inc. | Transparent encryption in a content centric network |
US10097521B2 (en) | 2015-11-20 | 2018-10-09 | Cisco Technology, Inc. | Transparent encryption in a content centric network |
US9912776B2 (en) | 2015-12-02 | 2018-03-06 | Cisco Technology, Inc. | Explicit content deletion commands in a content centric network |
US10097346B2 (en) | 2015-12-09 | 2018-10-09 | Cisco Technology, Inc. | Key catalogs in a content centric network |
US10116466B2 (en) * | 2015-12-10 | 2018-10-30 | Vmware, Inc. | Transport protocol task offload emulation to detect offload segments for communication with a private network |
US20170170987A1 (en) * | 2015-12-10 | 2017-06-15 | Nicira, Inc. | Transport protocol task offload emulation to detect offload segments for communication with a private network |
US10078062B2 (en) | 2015-12-15 | 2018-09-18 | Palo Alto Research Center Incorporated | Device health estimation by combining contextual information with sensor data |
US10581967B2 (en) | 2016-01-11 | 2020-03-03 | Cisco Technology, Inc. | Chandra-Toueg consensus in a content centric network |
US10257271B2 (en) | 2016-01-11 | 2019-04-09 | Cisco Technology, Inc. | Chandra-Toueg consensus in a content centric network |
US9949301B2 (en) | 2016-01-20 | 2018-04-17 | Palo Alto Research Center Incorporated | Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks |
US10305864B2 (en) | 2016-01-25 | 2019-05-28 | Cisco Technology, Inc. | Method and system for interest encryption in a content centric network |
US10469262B1 (en) | 2016-01-27 | 2019-11-05 | Verizon Patent ad Licensing Inc. | Methods and systems for network security using a cryptographic firewall |
US10848313B2 (en) | 2016-01-27 | 2020-11-24 | Verizon Patent And Licensing Inc. | Methods and systems for network security using a cryptographic firewall |
US11265167B2 (en) | 2016-01-27 | 2022-03-01 | Verizon Patent And Licensing Inc. | Methods and systems for network security using a cryptographic firewall |
US10043016B2 (en) | 2016-02-29 | 2018-08-07 | Cisco Technology, Inc. | Method and system for name encryption agreement in a content centric network |
US10003507B2 (en) | 2016-03-04 | 2018-06-19 | Cisco Technology, Inc. | Transport session state protocol |
US10038633B2 (en) | 2016-03-04 | 2018-07-31 | Cisco Technology, Inc. | Protocol to query for historical network information in a content centric network |
US10742596B2 (en) | 2016-03-04 | 2020-08-11 | Cisco Technology, Inc. | Method and system for reducing a collision probability of hash-based names using a publisher identifier |
US10051071B2 (en) | 2016-03-04 | 2018-08-14 | Cisco Technology, Inc. | Method and system for collecting historical network information in a content centric network |
US10469378B2 (en) | 2016-03-04 | 2019-11-05 | Cisco Technology, Inc. | Protocol to query for historical network information in a content centric network |
US10129368B2 (en) | 2016-03-14 | 2018-11-13 | Cisco Technology, Inc. | Adjusting entries in a forwarding information base in a content centric network |
US9832116B2 (en) | 2016-03-14 | 2017-11-28 | Cisco Technology, Inc. | Adjusting entries in a forwarding information base in a content centric network |
US10212196B2 (en) | 2016-03-16 | 2019-02-19 | Cisco Technology, Inc. | Interface discovery and authentication in a name-based network |
US11436656B2 (en) | 2016-03-18 | 2022-09-06 | Palo Alto Research Center Incorporated | System and method for a real-time egocentric collaborative filter on large datasets |
US10067948B2 (en) | 2016-03-18 | 2018-09-04 | Cisco Technology, Inc. | Data deduping in content centric networking manifests |
US10091330B2 (en) | 2016-03-23 | 2018-10-02 | Cisco Technology, Inc. | Interest scheduling by an information and data framework in a content centric network |
US10033639B2 (en) | 2016-03-25 | 2018-07-24 | Cisco Technology, Inc. | System and method for routing packets in a content centric network using anonymous datagrams |
US10320760B2 (en) | 2016-04-01 | 2019-06-11 | Cisco Technology, Inc. | Method and system for mutating and caching content in a content centric network |
US9930146B2 (en) | 2016-04-04 | 2018-03-27 | Cisco Technology, Inc. | System and method for compressing content centric networking messages |
US10348865B2 (en) | 2016-04-04 | 2019-07-09 | Cisco Technology, Inc. | System and method for compressing content centric networking messages |
US10425503B2 (en) | 2016-04-07 | 2019-09-24 | Cisco Technology, Inc. | Shared pending interest table in a content centric network |
US10027578B2 (en) | 2016-04-11 | 2018-07-17 | Cisco Technology, Inc. | Method and system for routable prefix queries in a content centric network |
US10841212B2 (en) | 2016-04-11 | 2020-11-17 | Cisco Technology, Inc. | Method and system for routable prefix queries in a content centric network |
CN105939344A (en) * | 2016-04-18 | 2016-09-14 | 杭州迪普科技有限公司 | TCP (Transmission Control Protocol) connection establishing method and device |
US20170304086A1 (en) * | 2016-04-22 | 2017-10-26 | Rehabilitation Institute of Chicago d/b/a Shireley Ryan AbilityLab | Safety Overload for Direct Skeletal Attachment |
US10404450B2 (en) | 2016-05-02 | 2019-09-03 | Cisco Technology, Inc. | Schematized access control in a content centric network |
US10320675B2 (en) | 2016-05-04 | 2019-06-11 | Cisco Technology, Inc. | System and method for routing packets in a stateless content centric network |
US10547589B2 (en) | 2016-05-09 | 2020-01-28 | Cisco Technology, Inc. | System for implementing a small computer systems interface protocol over a content centric network |
US10084764B2 (en) | 2016-05-13 | 2018-09-25 | Cisco Technology, Inc. | System for a secure encryption proxy in a content centric network |
US10063414B2 (en) | 2016-05-13 | 2018-08-28 | Cisco Technology, Inc. | Updating a transport stack in a content centric network |
US10404537B2 (en) | 2016-05-13 | 2019-09-03 | Cisco Technology, Inc. | Updating a transport stack in a content centric network |
US10103989B2 (en) | 2016-06-13 | 2018-10-16 | Cisco Technology, Inc. | Content object return messages in a content centric network |
US10305865B2 (en) | 2016-06-21 | 2019-05-28 | Cisco Technology, Inc. | Permutation-based content encryption with manifests in a content centric network |
US10581741B2 (en) | 2016-06-27 | 2020-03-03 | Cisco Technology, Inc. | Method and system for interest groups in a content centric network |
US10148572B2 (en) | 2016-06-27 | 2018-12-04 | Cisco Technology, Inc. | Method and system for interest groups in a content centric network |
US10009266B2 (en) | 2016-07-05 | 2018-06-26 | Cisco Technology, Inc. | Method and system for reference counted pending interest tables in a content centric network |
US9992097B2 (en) | 2016-07-11 | 2018-06-05 | Cisco Technology, Inc. | System and method for piggybacking routing information in interests in a content centric network |
US10122624B2 (en) | 2016-07-25 | 2018-11-06 | Cisco Technology, Inc. | System and method for ephemeral entries in a forwarding information base in a content centric network |
US10069729B2 (en) | 2016-08-08 | 2018-09-04 | Cisco Technology, Inc. | System and method for throttling traffic based on a forwarding information base in a content centric network |
US10956412B2 (en) | 2016-08-09 | 2021-03-23 | Cisco Technology, Inc. | Method and system for conjunctive normal form attribute matching in a content centric network |
US10033642B2 (en) | 2016-09-19 | 2018-07-24 | Cisco Technology, Inc. | System and method for making optimal routing decisions based on device-specific parameters in a content centric network |
US10212248B2 (en) | 2016-10-03 | 2019-02-19 | Cisco Technology, Inc. | Cache management on high availability routers in a content centric network |
US10897518B2 (en) | 2016-10-03 | 2021-01-19 | Cisco Technology, Inc. | Cache management on high availability routers in a content centric network |
US10447805B2 (en) | 2016-10-10 | 2019-10-15 | Cisco Technology, Inc. | Distributed consensus in a content centric network |
US10721332B2 (en) | 2016-10-31 | 2020-07-21 | Cisco Technology, Inc. | System and method for process migration in a content centric network |
US10135948B2 (en) | 2016-10-31 | 2018-11-20 | Cisco Technology, Inc. | System and method for process migration in a content centric network |
US10243851B2 (en) | 2016-11-21 | 2019-03-26 | Cisco Technology, Inc. | System and method for forwarder connection information in a content centric network |
US10554480B2 (en) | 2017-05-11 | 2020-02-04 | Verizon Patent And Licensing Inc. | Systems and methods for maintaining communication links |
US10873497B2 (en) | 2017-05-11 | 2020-12-22 | Verizon Patent And Licensing Inc. | Systems and methods for maintaining communication links |
US11006273B2 (en) * | 2017-10-03 | 2021-05-11 | Citrix Systems, Inc. | Location/things aware cloud services delivery solution |
US11653200B2 (en) | 2017-10-03 | 2023-05-16 | Citrix Systems, Inc. | Location/things aware cloud services delivery solution |
US20190104409A1 (en) * | 2017-10-03 | 2019-04-04 | Citrix Systems, Inc. | Location/things aware cloud services delivery solution |
US20210083902A1 (en) * | 2018-06-01 | 2021-03-18 | Huawei Technologies Co., Ltd. | Method for Managing Virtual Private Network, and Device |
US11799688B2 (en) * | 2018-06-01 | 2023-10-24 | Huawei Technologies Co., Ltd. | Method for managing virtual private network, and device |
US20220141191A1 (en) * | 2020-11-02 | 2022-05-05 | Pango, Inc. | Secure distribution of configuration to facilitate a privacy-preserving virtual private network system |
CN114640485A (en) * | 2020-12-01 | 2022-06-17 | 中移(苏州)软件技术有限公司 | Centralized access method, device, equipment and storage medium for service data |
CN113542094A (en) * | 2021-06-07 | 2021-10-22 | 新华三信息安全技术有限公司 | Access right control method and device |
CN113595847A (en) * | 2021-07-21 | 2021-11-02 | 上海淇玥信息技术有限公司 | Remote access method, system, device and medium |
US11799988B2 (en) | 2022-03-21 | 2023-10-24 | Vmware, Inc. | User datagram protocol segmentation offload for virtual machines |
Also Published As
Publication number | Publication date |
---|---|
CN101599901B (en) | 2011-06-08 |
US8274967B2 (en) | 2012-09-25 |
CN101599901A (en) | 2009-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8274967B2 (en) | Method, system and gateway for remotely accessing MPLS VPN | |
USRE46195E1 (en) | Multipath transmission control protocol proxy | |
US9853896B2 (en) | Method, device, and virtual private network system for advertising routing information | |
WO2014194749A1 (en) | Vpn implementation processing method and apparatus for edge device | |
EP2154821B1 (en) | Method and apparatus for sending and receiving multicast packets | |
JP5579853B2 (en) | Method and system for realizing virtual private network | |
EP1811728B2 (en) | Method, system and device of traffic management in a multi-protocol label switching network | |
EP2031803B1 (en) | Relay network system and terminal adapter apparatus | |
US20160285736A1 (en) | Access method and system for virtual network | |
WO2009135404A1 (en) | Layer two virtual private network cross-domain implementation (l2vpn) method, system and device | |
JP2013504959A (en) | Method and system for realizing virtual private network | |
WO2006005260A1 (en) | A virtual private network and the method for the control and transmit of the route | |
WO2006002598A1 (en) | A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof | |
WO2009021458A1 (en) | Method, apparatus and system for connecting layer2 network and layer3 network | |
WO2006105718A1 (en) | A method for realizing the mpls-vpn across the hybrid network | |
WO2011113340A1 (en) | Access method and apparatus for multi-protocol label switching layer 2 virtual private network | |
WO2013139270A1 (en) | Method, device, and system for implementing layer3 virtual private network | |
WO2008011818A1 (en) | Method of realizing hierarchy-virtual private lan service and network system | |
WO2007112691A1 (en) | System, method and network device for vpn customer to access public network | |
WO2011009331A1 (en) | Routing label distribution method and apparatus in virtual private network | |
WO2005125103A1 (en) | A virtual private network system of hybrid site and hybrid backbone network and its realizing method | |
WO2005114944A1 (en) | A method for implementing ipv4 and ipv6 mixing sites virtual private network | |
EP1940085B1 (en) | Method and device for service binding | |
Cisco | Remote Access to MPLS VPN | |
Wu et al. | Research on the application of cross-domain VPN technology based on MPLS BGP |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: HANGZHOU H3C TECHNOLOGIES CO., LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:XUE, MING;HAN, XIAOPING;REEL/FRAME:024685/0734 Effective date: 20100607 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:H3C TECHNOLOGIES CO., LTD.;HANGZHOU H3C TECHNOLOGIES CO., LTD.;REEL/FRAME:039767/0263 Effective date: 20160501 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |